Information Security Management Handbook, Fifth Edition. CRC Press LCC

I. S. M. H. 5Ed

AUERBACH PUBLICATIONS

A CRC Press Company

Boca Raton London New York Washington, D.C.

Edited by
Harold F. Tipton, CISSP
Micki Krause, CISSP

e-books shop
Information Security Management Handbook, Fifth Edition

Chapter 1, “Enhancing Security through Biometric Technology,” 
by Stephen D. Fried, CISSP, ©Lucent Technologies. All rights reserved.
Chapter 18, “Packet Sniffers and Network Monitors,” 
by James S. Tiller, CISA, CISSP, and Bryan D. Fish, CISSP, © Lucent Technologies. All rights reserved.
Chapter 30, “ISO/OSI Layers and Characteristics,” 
by George G. McBride, CISSP, © Lucent Technologies. All rights reserved.
Chapter 32, “IPSec Virtual Private Networks,” 
by James S. Tiller, CISA, CISSP, © INS. All rights reserved.
Chapter 58, “Security Patch Management,” 
by Jeffrey Davis, CISSP, © Lucent Technologies. All rights reserved.
Chapter 62, “Trust Governance in a Web Services World,” 
by Daniel D. Houser, CISSP, MBA, e-Biz+, © Nationwide Mutual Insurance Company. All rights reserved.
Chapter 68, “Security Assessment,” 
by Sudhanshu Kairab, © Copyright 2003 INTEGRITY. All rights reserved.
Chapter 70, “A Progress Report on the CVE Initiative,” 
by Robert Martin, Steven Christey, and David Baker, © Copyright 2003 MITRE Corp. All rights reserved.
Chapter 87, “How to Work with a Managed Security Service Provider,” 
by Laurie Hill McQuillan, © 2003. Laurie Hill McQuillan. All rights reserved.
Chapter 99, “Digital Signatures in Relational Database Applications,” 
by Mike R. Prevost, © 2002 Mike R. Prevost and Gradkell Systems, Inc. Used with permission.
Chapter 108, “Three New Models for the Application of Cryptography,” 
by Jay Heiser, CISSP, © Lucent Technologies. All rights reserved.
Chapter 110, “Message Authentication,” 
by James S. Tiller, CISA, CISSP, © INS. All rights reserved.
Chapter 128, “Why Today’s Security Technologies Are So Inadequate: History, Implications, and New Approaches,” by Steven Hofmeyr, Ph.D., © 2003 Sana Security. All rights reserved.
Chapter 131, “Improving Network-Level Security through Real-Time Monitoring and Intrusion Detection,” by Chris Hare, CISSP, CISA, © International Network Services. All rights reserved.
Chapter 142, “Liability for Lax Computer Security in DDOS Attacks,” 
by Dorsey Morrow, JD, CISSP, © 2003. Dorsey Morrow. All rights reserved.
Chapter 152, “CIRT: Responding to Attack,” 
by Chris Hare, CISSP, CISA, © International Network Services. All rights reserved.
Chapter 156, “Software Forensics,” by Robert M. Slade, © Robert M. Slade. All rights reserved.


Introduction
The research on risks, threats and exposures continues to demonstrate the need for taking an assertive approach to information risk management. According to published sources:
• From 1989 to early 2003, the number of security incidents increased from 130 to over 42,000
• From 2000 to early 2003, the number of security vulnerabilities reported total over 900, which is
over twice that of the sum of vulnerabilities reported for the five previous years
• Since 1995, the annual increase in risk from internet hacking is up 60% per year (U.S.)
• Since 1995, the annual increase in risk from viruses and worms is up over 100% per year (U.S.)
Of course, precursors for taking an assertive approach to information risk management are possession of
the requisite knowledge and skills as well as the ability to practically apply that knowledge. 
The mission of the Information Security Management Handbook (ISMH) is to arm the reader, so that you are prepared to do battle in this challenging environment. The ISMH is designed to cover in detail the ten domains of the Information Security Common Body of Knowledge and offer pragmatic counsel on implementation of technologies, processes and procedures. It is designed to empower the security professional, the information technology professional and the chief information officer with information such that they can do their duty, protect the information assets of their organizations.
This Volume 5 is a blend of some of the most current articles from the previous edition along with new
articles that may not have been covered previously. It also includes articles on tried and true topics such as policies, firewalls and Internet security, but with a differing focus or distinction based on the various authors’ experiences.
As always, this edition is a comprehensive tome that offers vast amounts of information protection and
security advice, from policy development to cryptographic fundamentals and everything between. Whether the reader is an experienced and certified professional (CISSP), an IT executive, or a novice firewall administrator, there is something worthwhile for all.
Hal Tipton
Micki Krause
December, 2003


Contributors
Thomas Akin, CISSP, has worked in information security for almost a decade. He is the founding director of the Southeast Cybercrime Institute, where he also serves as chairman for the Institute's Board of Advisors. He is an active member of the Georgia Cybercrime Task Force where he heads up the Task Force's Education committee. Thomas also works with Atlanta's ISSA, InfraGard, and HTCIA professional organizations. He has published several articles on Information Security and is the author of Hardening Cisco Routers. He developed Kennesaw State University’s highly successful UNIX and Cisco training programs and, in addition to his security certifications, is also certified in Solaris, Linux, and AIX; is a Cisco Certified Academic Instructor (CCAI), and is a Certified Network Expert (CNX). He can be reached at takin@kennesaw.edu.
Mandy Andress, CISSP, SSCP, CPA, CISA, is Founder and President of ArcSec Technologies, a security consulting firm specializing in product/technology analysis. Before starting ArcSec Technologies, Mandy worked for Exxon, USA and several Big 5 accounting firms, including Deloitte & Touche and Ernst & Young. After leaving the Big 5, Mandy became Director of Security for Privada, Inc., a privacy start-up in San Jose. At Privada, Mandy helped develop security policies, secure network design, develop Firewall/VPN solutions, increase physical security, secure product design, and periodic network vulnerability testing. Mandy has written numerous security product and technology reviews for various computer trade publications. A member of the Network World Global Test Alliance, she is also a frequent presenter at conferences, including Networld+
Interop, Black Hat, and TISC. Mandy holds a BBA in accounting and an MS in MIS from Texas A&M
University. She is the author of Surviving Security, 2nd Edition (Auerbach Publications, 2003).
Jim Appleyard is a senior security consultant with the IBM Security and Privacy Services consulting practice. With 33 years of technical and management experience in information technology, he specializes in enterprisewide information security policies and security architecture design. He has specific expertise in developingm information security policies, procedures, and standards; conducting business impact analysis; performing enterprisewide security assessments; and designing data classification and security awareness programs.
David W. Baker is a member of the CVE Editorial Board. As a Lead INFOSEC Engineer in MITRE’s Security and Information Operations Division, he has experience in deployment and operation of large-scale intrusion detection systems, critical infrastructure protection efforts, and digital forensics research. A member of the American Academy of Forensic Sciences, Baker holds a bachelor’s degree from The State University of New York, and a Master of Forensic Science degree from George Washington University.
Dencho N. Batanov is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand.
John Berti, CISSP, is a Senior Manager in the Winnipeg Office of Deloitte & Touche LLP’s Security Services consulting practice. John has extensive experience in information security including E-business security controls, network security reviews, intrusion and penetration testing, risk analysis, policy development, security awareness, and information security assurance programs. John has over 18 years of Information Security experience and is presently a Senior Lead Instructor for (ISC)2, the organization responsible for worldwide CISSP certification of Information Security professionals. John is also an invited lecturer at some of the largest security conferences and has provided expert witness testimony and technical forensic assistance for various law enforcement agencies in Canada. John also possesses extensive investigative experience in dealing with various information security-related incidents for a large telecommunications company in Manitoba, relating to computer and toll fraud crimes.
Chuck Bianco, FTTR, CISA, CISSP, is an IT Examination Manager for the Office of Thrift Supervision in Dallas, Texas. He has represented his agency on the IT Subcommittee of the FFIEC. Bianco has experienced more than 600 IT examinations, participated in six IT symposia, written OTS’ original Disaster Recovery Bulletin, and led the Interagency Symposium resulting in SP–5. He was awarded the FFIEC Outstanding Examiner Award for significant contributions, and received two Department of the Treasury Awards for Outstanding Performance.
Christina M. Bird, Ph.D., CISSP, is a senior security analyst with Counterpane Internet Security in San Jose, California. She has implemented and managed a variety of wide-area-network security technologies, such as firewalls, VPN packages and authentication systems; built and supported Internet-based remote access systems; and developed, implemented, and enforced corporate IS security policies in a variety of environments. Tina is the moderator of the Virtual Private Networks mailing list, and the owner of "VPN Resources on the World Wide Web," a highly regarded vendor neutral source of information about VPN technology. Tina has a BS in physics from Notre Dame and an MS and Ph.D. in astrophysics from the University of Minnesota.
Steven F. Blanding, CIA, CISA, CSP, CFE, CQA, was, when his contributions were written, the Regional Director of Technology for Arthur Andersen, based in Houston, Texas. Steve has 25 years of experience in the areas of financial auditing, systems auditing, quality assurance, information security, and business resumption planning for large corporations in the consulting services, financial services, manufacturing, retail electronics, and defense contract industries. Steve earned a BS in accounting from Virginia Tech and an MS in business information systems from Virginia Commonwealth University.
David Bonewell, CISSP, CISA, is a chief security architect with Teradata, Cincinnati, Ohio.
Kate Borten, CISSP, a nationally recognized expert in health information security and privacy, is president of The Marblehead Group. She has over 20 years at Harvard University teaching hospitals, health centers, and physician practices; as information security head at Massachusetts General Hospital, and Chief Information Security Officer at CareGroup in Boston. She is a frequent speaker at conferences sponsored by AHIMA, AMIA, CHIM, CHIME, CPRI, and HIMSS, and an advisor and contributor to “Briefings on HIPAA.”
Dan M. Bowers, CISSP, is a consulting engineer, author, and inventor in the field of security engineering.
Thomas J. Bray, CISSP, is a Principal Security Consultant with SecureImpact. He has more than 13 years of information security experience in banking, information technology, and consulting. Tom can be reached at tjbray@secureimpact.com. SecureImpact is a company dedicated to providing premier security consulting expertise and advice. SecureImpact has created its information and network service offerings to address the growing proliferation of security risks being experienced by small to mid-sized companies. Information about SecureImpact can be obtained by visiting www.secureimpact.com.
Allen Brusewitz, CISSP, CBCP, has more than 30 years of experience in computing in various capacities, including system development, EDP auditing, computer operations, and information security. He has continued his professional career leading consulting teams in cyber-security services with an emphasis on E-commerce security. He also participates in business continuity planning projects and is charged with developing that practice with his current company for delivery to commercial organizations.
Graham Bucholz is a computer security research for the U.S. government in Baltimore, Maryland.
Carl Burney, CISSP, is a Senior Internet Security Analyst with IBM in Salt Lake City, Utah.
Ken Buszta, CISSP, is Chief Information Security Officer for the City of Cincinnati, Ohio, and has more than ten years of IT experience and six years of InfoSec experience. He served in the U.S. Navy’s intelligence community before entering the consulting field in 1994. Should you have any questions or comments, he can be reached at Infosecguy@att.net.
James Cannady is a research scientist at Georgia Tech Research Institute. For the past seven years he has focused on developing and implementing innovative approaches to computer security in sensitive networks and systems in military, law enforcement, and commercial environments
Ioana V. Carastan, CISSP, is a manager with Accenture’s global security consulting practice. She has written security policies, standards, and processes for clients in a range of industries, including financial services, hightech, resources, and government
Mark T. Chapman, CISSP, CISM, IAM, is the Director of Information Security Solutions for Omni Tech Corporation in Waukesha, Wisconsin. Mark holds an MS in computer science from the University of Wisconsin, Milwaukee, in the area of cryptography and information security. He has published several papers and has presented research at conferences in the United States, Asia, and Europe. He is the author of several securityrelated software suites, including the NICETEXT linguistic steganography package available at www.nicetext.com
Mark is a member of the executive planning committee for the Eastern Wisconsin Chapter of
InfraGard. For questions or comments, contact Mark at mark.chapman@omnitechcorp.com.
Steven Christey is the editor of the CVE List and the chair of the CVE Editorial Board. His operational experience is in vulnerability scanning and incident response. His research interests include automated vulnerability analysis of source code, reverse-engineering of malicious executable code, and responsible vulnerability disclosure practices. He is a Principal INFOSEC Engineer in MITRE's Security and Information Operations Division. He holds a BS in computer science from Hobart College.
Samuel Chun, CISSP, is director for a technology consulting firm in the Washington, D.C., area
Anton Chuvakin, Ph.D., GCIA, GCIH, is a senior security analyst with a major information security company. His areas of InfoSec expertise include intrusion detection, UNIX security, forensics, and honeypots. In his spare time, he maintains his security portal, www.infosecure.org.
Douglas G. Conorich, the Global Solutions Manager for IBM Global Service’s Managed Security Services, with over 30 years of experience with computer security holding a variety of technical and management positions, has responsibility for developing new security offerings, ensuring that the current offerings are standardized globally, and oversees training of new members of the MSS team worldwide. Mr. Conorich teaches people how to use the latest vulnerability testing tools to monitor Internet and intranet connections and develop vulnerably assessments suggesting security-related improvements. Mr. Conorich is also actively engaged in the research of bugs and vulnerabilities in computer operating systems and Internet protocols and is involved in the development of customized alerts notifying clients of new potential risks to security. He has presented papers at over 400 conferences, has published numerous computer security-related articles on information security in various magazines and periodicals, and has held associate professor positions at several colleges and universities.
Michael J. Corby, CISSP, is Director of META Group Consulting. He was most recently president of QinetiQ Trusted Information Management and prior to that, vice president of the Netigy Global Security Practice, CIO for Bain & Company, and the Riley Stoker division of Ashland Oil. He has more than 30 years of experience in the information security field and has been a senior executive in several leading IT and security consulting organizations. He was a founding officer of (ISC)2, developer of the CISSP program, and was named the first recipient of the CSI Lifetime Achievement Award. A frequent speaker and prolific author, Corby graduated from WPI in 1972 with a degree in electrical engineering
Kellina M. Craig-Henderson, Ph.D., is an Associate Professor of Social Psychology at Howard University in Washington, D.C. Craig-Henderson’s work has been supported by grants from the National Science Foundation and the Center for Human Resource Management at the University of Illinois.
Jeffrey Davis, CISSP, has been working in information security for the past ten years. He is currently a senior manager at Lucent Technologies, involved with intrusion detection, anti-virus, and threat assessment. He holds a bachelor’s degree in electrical engineering and a master’s degree in computer science from Stevens Institute of Technology
Matthew J. Decker, CISSP, CISA, CBCP, has 17 years of professional experience in information security. He has advised private industry and local government on information security issues for the past six years with International Network Services, Lucent Technologies, and KPMG LLP. Prior to this, he devoted two years to the United States Special Operations Command (USSOCOM) as a contractor for Booz Allen Hamilton, and served nine years with the NSA. He earned a BSEE in 1985 from Florida Atlantic University and an MBA in 1998 from Nova Southeastern University. In 1992, the NSA’s Engineering and Physical Science Career Panel awarded him Certified Cryptologic Engineer (CCE) stature. A former president of the ISSA Tampa Bay chapter, he is a member of ISSA and ISACA.
David Deckter, CISSP, a manager with Deloitte & Touche Enterprise Risk Services, has extensive experience in information systems security disciplines, controlled penetration testing, secure operating system, application and internetworking architecture and design, risk and vulnerability assessments, and project management.
Deckter has obtained ISC2 CISSP certification. He has performed numerous network security assessments for emerging technologies and electronic commerce initiatives in the banking, insurance, telecommunications, healthcare, and financial services industries, and has been actively engaged in projects requiring HIPAA security solutions.
Gildas Deograt, CISSP, is a CISSP Common Body of Knowledge (CBK) seminar instructor. He has been working in the IT field for more than ten years, with a focus over the past five years on information security. His experience includes network design and implementation, security policy development and implementation, developing security awareness program, network security architecture, assessment and integration, and also firewall deployment. At present, he is an Information System Security Officer for Total Exploration and Production. Before moving to France, he was the Chief Information Security Officer at TotalFinaElf E&P Indonesia and also a board member of the Information System Security Association (ISSA), Indonesia
Sandeep Dhameja, CISSP, is responsible for implementation, management of data, network security, and information security at Morningstar. With more than ten years of IT experience, including five years in information security, Dhameja has held several executive and consulting positions. He is widely published with the IEEE, International Engineering Consortium (IEC), Society of Automotive Engineers (SAE), and at international conferences.
John Dorf, ARM, is a senior manager in the Actuarial Services Group of Ernst & Young. Specializing in
insurance underwriting and risk management consulting, John earned his 19 years of experience as a risk
manager at several Fortune 500 financial service and manufacturing firms. Before joining Ernst & Young, John was a senior risk manager at General Electric Capital Corporation. John has also held risk management positions at Witco Corporation, National Westminster Bank, and the American Bureau of Shipping. Prior to becoming a risk manager, John spent seven years as an underwriting manager and senior marine insurance underwriter at AIG and Atlantic Mutual. John holds a MBA with a concentration in risk management from the College of Insurance; a BA in Economics from Lehigh University; and an Associate in Risk Management (ARM) designation from the Insurance Institute of America.
Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software, Inc. (www.mtesoft.com) and has more than 25 years of experience in software development, product development, and network/information systems security. Fortune 500 companies have often turned to Mark to help them with projects related to Internet and computer security. Mark previously worked for KPMG Information Risk Management Group and IBM’s Privacy and Security Group, where he performed network security assessments, security system reviews, development of security recommendations, and ethical hacking. Other projects included helping companies develop secure and reliable network system architecture for their Web-enabled businesses. Mark was managing editor of the SANS Digest (Systems Administration and Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. He is co-author of Windows NT: Performance, Monitoring and Tuning, and he developed the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.
Carl F. Endorf, CISSP, is a senior security analyst for one of the largest insurance and banking companies in the United States. He has practical experience in forensics, corporate investigations, and Internet security. Vatcharaporn Esichaikul is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand.
Jeffrey H. Fenton, CBCP, CISSP, is the corporate IT crisis assurance/mitigation manager and technical lead for IT Risk Management and a senior staff computer system security analyst in the Corporate Information Security Office at Lockheed Martin Corporation. He joined Lockheed Missiles and Space Company in Sunnyvale, California, as a system engineer in 1982 and transferred into its telecommunications group in 1985. Fenton completed a succession of increasingly complex assignments, including project manager for the construction and activation of an earthquake-resistant network center on the Sunnyvale campus in 1992, and group leader for network design and operations from 1993 through 1996. Fenton holds a BA in economics from the University of California, San Diego, an MA in economics and an MS in operations research from Stanford University, and an MBA in telecommunications from Golden Gate University. Fenton is also a Certified Business Continuity Planner (CBCP) and a Certified Information Systems Security Professional (CISSP).
Bryan D. Fish, CISSP, is a security consultant for Lucent Technologies in Dallas, Texas. He holds a BS in Computer Engineering and a Master of Computer Science degree with a focus on internetworking and
computer system security, both from Texas A&M University. Professional interests include security programs and policies, and applications of cryptography in network security.
Todd Fitzgerald, CISSP, CISA, is the Systems Security Office for United Government Services, LLC, the nation’s largest processor of Medicare hospital claims on behalf of the Centers for Medicare and Medicaid Services (CMS). He has over 24 years of broad-based information technology experience, holding senior IT management positions with Fortune 500 and Global Fortune 250 companies. Todd is a board member of the ISSA–Milwaukee Chapter, co-chair on the HIPAA Collaborative of Wisconsin Security Task Force, participant in the CMS/ Gartner Security Best Practices Group, and is a frequent speaker and writer on security issues.
Stephen D. Fried, CISSP, is the Director of Global Information Security at Lucent Technologies, leading the team responsible for protecting Lucent’s electronic and information infrastructure. Stephen began his professional career at AT&T in 1985 and has progressed through a wide range of technical and leadership positions in such areas as software development, database design, call center routing, computing research, and information security for AT&T, Avaya, and Lucent Technologies. In more recent history, Stephen has developed the information security program for two Fortune 500 companies, leading the development of security strategy, architecture, and deployment while dealing with such ever-changing topics as policy development, risk assessment, technology development and deployment and security outsourcing. He is a Certified Information Systems Security Professional and is also an instructor with the SANS Institute. Stephen holds a BS in Telecommunications Management and an MS in Computer Science. Ed Gabrys, CISSP, is a senior systems engineer for Symantec Corporation. He was information security manager for People’s Bank in Bridgeport, Connecticut
Brian Geffert, CISSP, CISA, is a senior manager for Deloitte & Touche’s Security Services Practice and specializes in information systems controls and solutions. Geffert has worked on the development of HIPAA assessment tools and security services for healthcare industry clients to determine the level of security readiness with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. In addition, he has implemented solutions to assist organizations addressing their HIPAA security readiness issues. Finally, Geffert is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA).
Karen Gibbs is a senior data warehouse architect with Teradata, Dayton, Ohio.
Alex Golod, CISSP, is an infrastructure specialist for EDS in Troy, Michigan.
Robert Gray, Ph.D., is currently Chair of the Quantitative Methods and Computer Information Systems
Department at Western New England College and has more than 20 years of academic and management
experience in the IT field.
Frandinata Halim, CISSP, MCSE, a senior security consultant at ITPro Citra Indonesia, PT, has ample experience and qualifications in providing clients with managed security services, information system security consulting, secure network deployment, and other services. In addition, he is competent and knowledgeable in the use and hardening of the Windows environment, Cisco security devices, the number of IDSs, firewalls, and others, currently holding certifications such as CISSP from the (ISC)2, CCSP, CCDA, and CCNA from Cisco Systems, and MCSE from Microsoft. He obtained his bachelor’s degree in electronic engineering from
Trisakti University, Jakarta, and his master’s degree in information system management from Bina Nusantara University, Jakarta.
Susan D. Hansche, CISSP, is a senior manager for information system security awareness and training at PEC Solutions, based in Fairfax, Virginia. She has designed numerous training courses on information technology and information systems security for both private-sector and government clients. Susan is co-author of the Official (ISC)2 Guide to the CISSP Exam. 
She can be reached via e-mail at susan.hansche@pec.com.
William T. Harding, Ph.D., is Dean of the College of Business Administration and an associate professor at Texas A & M University, in Corpus Christi.
Chris Hare, CISSP, CISA, is an Information Security and Control Consultant with Nortel Networks in Dallas, Texas. His experience encompasses over sixteen years in the computing industry with key positions ranging from application design, quality assurance, system administration/engineering, network analysis, and security consulting, operations and architecture. His management career, coupled with in-depth technical knowledge, provides the foundation to integrate the intricate risks of technology to the ongoing survival of major corporations.
Chris periodically shares his knowledge in speaking engagements, published articles, books, and other
publications. He has written a number of articles for Sys Admin magazine, ranging from system administration and tutorial articles to management and architecture. Chris is now writing for Auerbach’s Data Security Management, Information Security Management Handbook, and Data Communication Management, and is coauthor the Official (ISC)2 Guide to the CISSP Exam. Chris has taught information security at Algonquin College (Ottawa, Canada) and was one of the original members of the Advisory Council for this program. He frequently speaks at conferences on UNIX, specialized technology and applications, security, and audit.
Jay Heiser, CISSP, is an analyst with the European headquarters of TruSecure. A seasoned professional with fourteen years of security experience, he has helped secure the infrastructures of both major Swiss banks, leading Internet service providers, manufacturers, and the U.S. Department of Defense. He co-authored Computer Forensics: Incident Response Essentials, and is currently writing a new handbook on information security. Since 1999, he has been a columnist for Information Security magazine where he also serves on the Editorial Advisory Board. He was the first Security Editor for Java Developers Journal and has written for InfoWorld, Network World, Web Techniques, and The Handbook of Information Security Management. In demand in both Europe and America for his entertaining and thought-provoking presentations, Mr. Heiser has an MBA in International Management from the American Graduate School of International Management.
Gilbert Held is an award-winning author and lecturer. Gil is the author of over 40 books and 450 technical articles. Some of Gil’s recent book titles include Building a Wireless Office and The ABCs of IP Addressing, published by Auerbach Publications. Gil can be reached via e-mail at gil_held@yahoo.com.
Foster Henderson, CISSP, MCSE, CRP, CNA, is an information assurance analyst for Analytic Services, Inc. (ANSER). He is currently a member of the Network Operations and Security Branch within the federal government, covering a wide range of IA matters.
Kevin Henry, CISA, CISSP, Director–Program Development for (ISC)2 Institute, is a regular speaker at conferences and training seminars worldwide, with frequent requests to provide in-depth training, foundational and advanced information systems security and audit courses, and detailed presentations and workshops on key issues surrounding the latest issues in the information systems security field. Kevin combines over twenty years experience in telecom and consulting engagements for major government and corporate clients with an interesting and comfortable learning style that enhances the understanding, relevance, and practical applications of the subject matter. Kevin graduated from Red River College as a computer programmer/analyst and has an Advanced Graduate Diploma in Management from Athabasca University, where he is currently enrolled in their MBA program with a focus on information technology. Kevin has also had several articles published in leading trade journals and in the Handbook of Information Security Management.
Paul A. Henry, MCP+I, MCSE, CCSA, CFSA, CFSO, CISSP, Vice President of CyberGuard Corporation and an information security expert who has worked in the security field for more than 20 years, has provided analysis and research support on numerous complex network security projects in Asia, the Middle East, and North America, including several multimillion dollar network security projects, such as Saudi Arabia’s National Banking System and the DoD Satellite Data Project USA. Henry has given keynote speeches at security seminars and conferences worldwide on topics including DDoS attack risk mitigation, firewall architectures, intrusion methodology, enterprise security, and security policy development. An accomplished author, Henry has also published numerous articles and white papers on firewall architectures, covert channel attacks, distributed denial-of-service (DDoS) attacks, and buffer overruns. Henry has also been interviewed by ZD Net, the San Francisco Chronicle, the Miami Herald, NBC Nightly News, CNBC Asia, and many other media outlets.
Rebecca Herold, CISSP, CISA, FLMI, is Vice President, Privacy Services and Chief Privacy Officer at DelCreo, Inc. Prior to this, she was chief privacy officer and senior security architect for QinetiQ Trusted Information Management, Inc. (Q-TIM). She has more than 13 years of information security experience. Herold was the editor and contributing author for The Privacy Papers, released in December 2001. Most recently she was the co-author of The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach, 2004). She has also written numerous magazine and newsletter articles on information security topics and has given many presentations at conferences and seminars. Herold can be reached at rebecca@delcreo.com.
Debra S. Herrmann is the ITT manager of security engineering for the FAA Telecommunications Infrastructure program. Her special expertise is in the specification, design, and assessment of secure mission-critical systems. She is the author of Using the Common Criteria for IT Security Evaluation and A Practical Guide to Security Engineering and Information Assurance, both from Auerbach Publications.
Steven Hofmeyr, Ph.D., chief scientist and founder of Sana Security, Inc., received a Ph.D. in computer science in 1999 from the University of New Mexico (UNM), focusing on immunological approaches to computer security. During his studies, he spent a year at the Artificial Intelligence Lab at MIT. After finishing his Ph.D., he was a postdoctoral researcher at UNM, and closely associated with the Santa Fe Institute for Complexity Studies. Hofmeyr has authored and co-authored many articles published in conference proceedings and peer-reviewed journals on computer security, immunology, and adaptive computation. He has served on the program committee for the ACM’s New Security Paradigms Workshop, and is currently on the program committee for the Artificial Immune Systems workshop at the IEEE World Congress on Computational Intelligence. He can be reached at steve.hofmeyr@sanasecurity.com.
Daniel D. Houser, CISSP, MBA, e-Biz+, is a senior security engineer with Nationwide Mutual Insurance Company
Joost Houwen, CISSP, CISA, is the security manager for Network Computing Services at BC Hydro. He has a diverse range of IT and information security experience.
Patrick D. Howard, CISSP, a Senior Information Security Consultant for the Titan Corporation, has over 31 years experience in security management and law enforcement. He has been performing security certification and accreditation tasks for over 14 years as both a security manager and a consultant from both government and commercial industry perspectives. He has experience with implementing security C&A with the Department of the Army, Nuclear Regulatory Commission, Department of Agriculture, and Department of Transportation, and has been charged with developing C&A and risk management guidance for organizations such as Bureau of the Public Debt, U.S. Coast Guard, State of California, University of Texas Southwestern Medical School, University of Texas Medical Branch, and corporations including John Hancock, BankBoston, Sprint, eSylvan, and Schering–Plough. He has extensive practical experience in implementing programs and processes
based on NIST guidance (FIPS Pub 102, SP 800-18, 800-26, 800-30, 800-37, etc.), OMB Circular A-130, Appendix III, and BS 7799/ISO 17799. He has direct working experience in security plan development for complex systems, sensitivity definition, use of minimum security baselines, risk analysis, vulnerability assessment, controls validation, risk mitigation, and documenting certification and accreditation decisions. Mr. Howard has also developed and presented training on all of these processes. He is the author of Building and Implementing a Security Certification and Accreditation Program (Auerbach Publications, 2004).
Javed Ikbal, CISSP, works at a major financial services company as Director, IT Security, where he is involved in security architecture, virus/cyber incident detection and response, policy development, and building custom tools to solve problems. A proponent of open-source security tools, he is a believer in the power of Perl. Sureerut Inmor is with the school of Advanced Technologies at the Asian Institute of Technology in Pathumthani, Thailand. He can be reached at sureerut_earth@hotmail.com.
Carl B. Jackson, CISSP, is Vice President–Enterprise Continuity Planning for DelCreo, Inc., an enterprise risk management company. He is a Certified Information Systems Security Professional (CISSP) with more than 25 years of experience in the areas of continuity planning, information security, and information technology internal control and quality assurance reviews and audits. Prior to joining DelCreo, Inc., he served in the QinetiQ-TIM Corporation and as a Partner with Ernst & Young, where he was the firm’s BCP Service Line Leader. Carl has extensive consulting experience with numerous major organizations in multiple industries, including manufacturing, financial services, transportation, healthcare, technology, pharmaceuticals, retail, aerospace, insurance, and professional sports management. He also has extensive industry business continuity planning experience as an information security practitioner, manager in the field of information security and business continuity planning, and as a university-level instructor. He has written extensively and is a frequent public speaker on all aspects of continuity planning and information security. Carl can be reached at 1+ 936-328-3663 or by e-mail at carl@delcreo.com.
Martin Johnson is senior manager, Information Systems Assurance & Advisory Services, with Ernst & Young LLP.
Sudhanshu Kairab, CISSP, CISA, is an information security consultant with a diverse background, including security consulting, internal auditing, and public accounting across different industries. His recent projects include security assessments and development of security policies and procedures
Ray Kaplan, CISSP, CISA, CISM, Qualified BS7799 Auditor Credentials and CHSP (Certified HIPAA Security Professional), is an information security consultant with Ray Kaplan and Associates in Minneapolis, Minnesota. He has been a consultant and a frequent writer and speaker in information security for over two decades
Christopher King, CISSP, is a security consultant with Greenwich Technology Partners, Chelmsford, Massachusetts.
Walter S. Kobus, Jr., CISSP, is Vice President, Security Consulting Services, with Total Enterprise Security Solutions, LLC. He has over 35 years of experience in information systems with 15 years experience in security, and is a subject matter expert in several areas of information security, including application security, security management practice, certification and accreditation, secure infrastructure, and risk and compliance assessments. As a consultant, he has an extensive background in implementing information security programs in large environments. He has been credited with the development of several commercial software programs in accounting, military deployment, budgeting, marketing, and several IT methodologies in practice today in security and application development.
Bryan T. Koch, CISSP, holds a BS in psychology, Michigan State University. He began his career as an operating systems developer in academic and scientific settings. He has been involved in the field of IT–Security for almost 20 years, starting as an outgrowth of his effort to connect Cray Research to the Internet — he was asked to create (1988) and lead (through 1995) the company's information security program. Since leaving Cray Research, his focus has been the effectiveness of information security programs in high-threat environments such as electronic commerce. Currently he is responsible for the security of RxHub, a healthcare information technology company.
Joe Kovara, CTP and Principal Consultant of Certified Security Solutions, Inc., has more than 25 years in the security and IT industries with extensive experience in all aspects of information security, operating systems and networks, as well as in the development and practical application of new technologies to a wide variety of applications and markets. Joe holds patents on self-configuring computer systems and networks. Prior to joining CSS in 2001, Joe was CTO of CyberSafe Corporation. Joe was a key contributor to CyberSafe's growth to over 250 employees in three countries, including three acquisitions and venture funding of over $100M. He was the prime mover in bringing several enterprise-security products to market and deploying them in missioncritical Fortune 100 environments, with product and services revenues totaling more than $25M. Prior to CyberSafe, Joe was a principal with the security-consulting firm of Kaplan, Kovara & Associates.
Micki Krause, CISSP, has held positions in the information security profession for the past 20 years. She is currently the Chief Information Security Officer at Pacific Life Insurance Company in Newport Beach, California, where she is accountable for directing the Information Protection and Security Program enterprisewide.
Micki has held several leadership roles in industry-influential groups including the Information Systems
Security Association (ISSA) and the International Information System Security Certification Consortium (ISC)2 and is a long-term advocate for professional security education and certification. In 2003, Krause received industry recognition as a recipient of the “Women of Vision” award given by Information Security magazine. In 2002, Krause was honored as the second recipient of the Harold F. Tipton Award in recognition of sustained career excellence and outstanding contributions to the profession. She is a reputed speaker, published author, and co-editor of the Information Security Management Handbook series.
David C. Krehnke, CISSP, CISM, IAM, is a Principal Information Securit Analyst for Northrop Grumman Information Technology in Raleigh, North Carolina. He has more than 30 years experience in assessment and implementation of information security technology, policy, practices, procedures, and protection mechanisms in support of organizational objectives for various federal agencies and government contractors. Krehnke has also served the (ISC)2 organization as a board member, vice president, president, and program director responsible for test development.
Mollie E. Krehnke, CISSP, IAM, is a Principal Information Security Analyst for Northrop Grumman Information Technology in Raleigh, North Carolina. She has served as an information security consultant for more than 15 years.
Kelly J. "KJ" Kuchta, CPP, CFE, is President of Forensics Consulting Solutions, in Phoenix. Formerly an area leader for Meta Security Group and Ernst & Young’s Computer Forensics Services Group in Phoenix, Arizona. He is an active member of the High Technology Crime Investigation Association (HTCIA), Association of Certified Fraud Examiners (ACFE), Computer Security Institute (CSI), International Association of Financial Crime Investigators Association (IACFCI), and the American Society of Industrial Security (ASIS). He currently serves on the board of the ASIS Information Technology Security Council.
Ross A. Leo, CISSP, an information security professional for over 23 years, with experience in a broad range of enterprises, currently is the Director of Information Systems, and Chief Information Security Officer at the University of Texas Medical Branch/Correctional Managed Care Division in Galveston, Texas. He has worked internationally as a systems analyst and engineer, IT auditor, educator, and security consultant for companies including IBM, St. Luke's Episcopal Hospital, Computer Sciences Corporation, Coopers & Lybrand, and Rockwell International. Recently, he was the Director of IT Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Centre. His professional affiliations include (ISC)2, ASIS, HCCO, and is a member of the IT Security Curriculum Development and Advisory Board for Texas State Technical College. Mr. Leo attended graduate school at the University of Houston, and undergraduate school at Southern Illinois University. He is the editor of the HIPAA Program Reference Handbook (Auerbach Publications, 2004).
Ian Lim, CISSP, a senior consultant in Accenture’s global security consulting practice, has defined and deployed security architectures for Fortune 100 companies, as well as contributed to Accenture’s Global Privacy and Policy Framework. Ian graduated from the University of California at Irvine with a degree in Information Computer Science and a minor in English
David A. Litzau, CISSP, with a foundation in electronics and audio/visual, moved into the computer sciences in 1994. David has been teaching information security in San Diego for the past six years
David MacLeod, Ph.D., CISSP, is the chief information security officer for The Regence Group, based in Portland, Oregon. He holds a Ph.D. in computer science, has 23 years of experience in information technology, and is accredited by ISC2 as a CISSP. He is also accredited by the Healthcare Information Management and Systems Society (HIMSS) as a Certified Professional in Healthcare Information Management Systems (CPHIMS). MacLeod has worked in a variety of industries, including government, retail, banking, defense contracting, emerging technologies, biometrics, physical security, and healthcare. He is a member of the organizing committee for the Health Sector Information Sharing and Analysis Center (ISAC), part of the Critical Infrastructure Protection activities ordered by Presidential Decision Directive 63
Franjo Majstor, CISSP, CCIE, is a senior technical consultant with Cisco Systems, Inc., in Brussels, Belgium. He focuses on security products, features, and solutions across technologies and is involved as a trusted adviser in the design of major security networking-related projects in Europe, the Middle East, and Africa.
Robert A. Martin is the leader of Common Vulnerabilities and Exposures (CVE) Compatibility efforts and a member of MITRE’s Open Vulnerability Assessment Language (OVAL) team. As a principal engineer in MITRE’s Information Technologies Directorate, his work focuses on the interplay of cyber-security, critical infrastructure protection, and software engineering technologies and practices. A member of the ACM, AFCEA, NDIA, and the IEEE, Martin holds a bachelor’s degree and a master’s degree in electrical engineering from Rensselaer Polytechnic Institute and an MBA from Babson College.
Bruce R. Matthews, CISSP, has been managing embassy technical security programs for U.S. government facilities worldwide for over 15 years. He is a Security Engineering Officer with the U.S. Department of State, Bureau of Diplomatic Security, and is currently on a three-year exchange program with the British Government. With the British, Bruce is examining a wide range of technical security issues and how they impact on IT security. As part of his work, he also conducts vulnerability assessments, IT security investigations and forensic analysis. In previous assignments, Bruce was head of the Department of State IT security training program and Chairman of the Security Standards Revision Committee for the Overseas Security Policy Board (OSPB).
Bruce, who has been published in magazines such as Information Security and State, is the author of Video Surveillance and Security Applications: A Manager’s Guide to CCTV (Auerbach Publications, 2004).
George G. McBride, CISSP, is the Senior Manager of Lucent Technologies’ Global Risk Assessment and Penetration Testing group in Holmdel, New Jersey, and has worked in the network security industry for more than six years. George has spoken at conferences worldwide on topics such as penetration testing, risk assessments, and open source security tools. He has consulted to numerous Fortune 100 companies on projects including network architecture, application vulnerability assessments, and security organization development. George has a Bachelor’s degree in electronic engineering and a master’s degree in software engineering.
Samuel C. McClintock is a Principal Security Consultant with Litton PRC, Raleigh, North Carolina
Lowell Bruce McCulley, CISSP, has more than 30 years of professional experience in the information systems industry. His security credentials are complemented by an extensive background in systems development engineering, primarily focused on critical systems, along with experience in production operations, training, and support roles.
Laurie Hill McQuillan, CISSP, has been a technology consultant for 25 years, providing IT support services to commercial and federal government organizations. McQuillan is vice president of KeyCrest Enterprises, a national security consulting company. She has a Master’s degree in technology management and teaches graduate-level classes on the uses of technology for research and the impact of technology on culture. She is treasurer of the Northern Virginia Chapter of the Information Systems Security Association (ISSA) and a founding member of CASPR, an international project that plans to publish Commonly Accepted Security Practices and Recommendations. She can be contacted at LMcQuillan@KeyCrest.com.
Dorsey Morrow, JD, CISSP, is operations manager and general counsel for the International Information Systems Security Certification Consortium, Inc. (ISC)2. He earned a BS degree in computer science and an MBA with an emphasis in information technology. He has served as general counsel to numerous information technology companies and also served as a judge. He is licensed to practice in Alabama, Massachusetts, the 11th Federal Circuit, and the U.S. Supreme Court.
William Hugh Murray, CISSP, is an executive consultant for TruSecure Corporation and a senior lecturer at the Naval Postgraduate School, has more than fifty years experience in information technology and more than thirty years in security. He serves as secretary of (ISC)2 and is an advisor on the Board of Directors of the New York Metropolitan Chapter of ISSA. During more than twenty-five years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the author of the IBM publication, Information System Security Controls and Procedures. Mr. Murray has made significant contributions to the literature and the practice of information security. He is a popular speaker on such topics as network security architecture, encryption, PKI, and secure electronic commerce. He is a founding member of the International Committee to establish the "Generally Accepted System Security Principles" (GASSP) as called for in the National Research Council's Report, Computers at Risk. He is a founder and board member of the Colloquium on Information System Security Education (CISSE). He has been recognized as a founder of the systems audit field and by Information Security as a Pioneer in Computer Security. In 1987 he received the Fitzgerald Memorial Award for leadership in data security. In 1989 he received the Joseph J. Wasserman Award for contributions to security,
audit and control. In 1995 he received a Lifetime Achievement Award from the Computer Security Institute. In 1999 he was enrolled in the ISSA Hall of Fame in recognition of his outstanding contribution to the information security community.
Judith M. Myerson is a systems architect and engineer, and also a freelance writer. She is the editor of Enterprise Systems Integration, 2nd Edition, and the author of The Complete Book of Middleware and numerous articles, white papers, and reports. In addition to software engineering, her areas of interest include middleware technologies, enterprisewide systems, database technologies, application development, network management, distributed systems, component-based technologies, and project management. You can contact her at jmyerson@bellatlantic.net.
K. Narayanaswamy, Ph.D., Chief Technology Officer and co-founder, Cs3, Inc., is an accomplished technologist who has successfully led the company’s research division since inception. He was the principal investigator of several DARPA and NSF research projects that have resulted in the company’s initial software product suite, and leads the company’s current venture into DDoS and Internet infrastructure technology. He has a Ph.D. in computer science from the University of Southern California.
Matunda Nyanchama, Ph.D., CISSP, is a Senior Advisor, Information Security Analytics at the Bank of Montreal Financial Group. Dr. Nyanchama has held a number of professional security positions, includingworking as a senior security consultant at Ernst & Young; Director of Security Architecture at Intellitactics Inc., a Canadian security software company; and Telecommunications Engineer at the Kenya Posts & Telecommunications Corporation, Kenya. Dr. Nyanchama has published a number of security management papers and is interested in information protection as a risk management, and information security metrics. Dr.Nyanchama holds masters and doctoral degrees in computer science from the University of Western Ontario in Canada, and an undergraduate electrical engineering degree from the University of Nairobi, Kenya. Will Ozier, president and founder of OPA Inc. – The Integrated Risk Management Group (OPA), is an expert in risk assessment and contingency planning, with broad experience consulting to Fortune 500 companies and government agencies at all levels. Prior to founding OPA, Ozier held key technical and management positions with leading firms in the manufacturing, financial, and consulting industries. Since then Ozier conceived, developed, and now directs the marketing and evolution of the expert risk analysis and assessment package, BDSS. He chaired the ISSA Information Valuation Committee, which developed and released the ISSA Guideline for Information Valuation, and he now chairs the International Information Security Foundation's (IISF)m Committee to develop Generally Accepted System Security Principles (GASSP). He consulted to the President's Commission on Critical Infrastructure Protection (PCCIP). He was principal author of The IIA's Information Security Management: A Call to Action for Corporate Governance. Ozier is an articulate author and spokesman for information security who has published numerous articles and has presented many talks and seminars in the United States and abroad to a wide variety of audiences.
Keith Pasley, CISSP, is a security professional with over 20 years experience designing and building security architectures for both commercial and federal government. Keith has authored papers and taught security classes and currently working as a regional security practice director.
Ralph Spencer Poore, CISSP, CISA, CFE, is a regular columnist and graybeard in the information security field. As Managing Partner of Pi 'R' Squared Consulting, Ltd., Ralph provides privacy and security consulting services. He is active in national and international standards, is a member of the International Information Systems Security Certification Consortium, Inc. [(ISC)2] Professional Practices Committee, Chairman of (ISC)2 Governance Committee, 2003 recipient of (ISC)2 President's Award, a member of the Generally Accepted Information Security Principles (GAISP) Steering Committee, a nominee to Who's Who in Information Security and an inventor with patents in counter forgery techniques and privacy processes. Mike Prevost is the DBsign Product Manager at Gradkell Systems, Inc., in Huntsville, Alabama. Anita Reed, CPA, is currently an accounting doctoral student at the University of South Florida, Tampa, and has 19 years of public accounting experience.
David Rice, CISSP, recognized by the Department of Defense and industry as an information security expert, has spent seven years working on highly sensitive national information security issues and projects. He has held numerous professional certifications; developed and authored several configuration guides, including “Guide to Securing Microsoft Windows 2000 Active Directory,” “Guide to Securing Microsoft Windows 2000 Schema,” and “Microsoft Windows 2000 Group Policy Reference;” and won Government Executive Magazine’s Technical Leadership Award. David is the founder and senior partner of TantricSecurity, LLC, an elite information Security consultancy for government and private industry. In addition to his consultancy, research, and publications, David is an adjunct professor for the Information Security Graduate Curriculum at James Madison University, Harrisonburg, Virginia. David Rice is a graduate of the United States Naval Academy and earned his Masters of Science in Systems Engineering and Information Warfare from the Naval Postgraduate School, Monterey, California.
Donald R. Richards, CPP, is former Director of Program Development for IriScan, in Fairfax, Virginia.
Steve A. Rodgers, CISSP, has been assisting clients in securing their information assets for more than six years. Rodgers specializes in attack and penetration testing, security policy and standards development, and security architecture design. He is the co-founder of Security Professional Services (www.securityps.com) and can be reached at srodgers@securityps.com.
Marcus Rogers, Ph.D., CISSP is an assistant research scientist at CERIAS at Purdue University. Prior to that, he was a director with Deloitte & Touche LLP, in Winnipeg, Ontario, Canada
Ben Rothke, CISSP, COO, is a New York City-based senior security consultant with ThruPoint, Inc. and has over 15 years of industry experience in the area of information systems security. His areas of expertise are in PKI, HIPAA, 21 CFR Part 11, design and implementation of systems security, encryption, firewall configuration and review, cryptography and security policy development. Prior to joining ThruPoint, Ben was with Baltimore Technologies, Ernst & Young, and Citicorp, and has provided security solutions to many Fortune 500 companies. Ben is the author of Computer Security — 20 Things Every Employee Should Know, a contributing author to The Handbook of Information Security Management (Auerbach), and is a former columnist for Information Security and Solutions Integrator magazine. Ben is also a frequent speaker at industry conferences, such as CSI, RSA, NetSec, and ISACA, and a member of HTCIA, ISSA, ICSA, IEEE, ASIS, CSI and the New Jersey InfraGard
chapter. Ty R. Sagalow is executive vice president and chief operating officer of American International Group eBusiness Risk Solutions, the largest of Internet risk insurance organization. Over the past 18 years, he has held several executive and legal positions within AIG. He graduated summa cum laude from Long Island University, cum laude from Georgetown University Law Center, and holds a Master of Law from New York University. He can be reached at ty.sagalow@aig.com.
Craig Schiller, CISSP, an information security consultant for Hawkeye Security, is the principal author of the first published edition of Generally Accepted System Security Principles.
Thomas J. Schleppenbach is a senior information security advisor and security solutions and product manager for Inacom Information Systems in Madison, Wisconsin. With over 16 years of IT experience, Tom provides information security and secure infrastructure design and acts in a strategic role helping organizations plan and build Information Security Programs. Tom also sits on the Western Wisconsin Chapter of InfraGard planning committee and is the co-chair for the Wisconsin Kids Improving Security (KIS) poster contest, working with schools and school districts to educate kids on how to stay safe online. For questions or comments, contact Tom at Tom.Schleppenbach@inacom-msn.com.
E. Eugene Schultz, Ph.D., CISSP, is a principal engineer with Lawrence Berkeley National Laboratory and also teaches computer science courses at the University of California at Berkeley. He previously founded and managed the CIAC (Computer Incident Advisory Capability) for the U.S. Department of Energy and was the Program Manager for the International Information Integrity Institute (I-4). He is co-founder of FIRST (Forum of Incident Response and Security Teams) and an advisor to corporate executives around the world on computer security policy and practice. An expert in a variety of areas within information security, he is the author of four books and over 90 papers. He is a frequent instructor for SANS, ISACA and CSI. Dr. Schultz is also is a member of the ArcSight Security Advisory Board. He has received numerous professional awards, including the NASA Technical Innovation Award, Best Paper Award for the National Information Systems Security Conference, and Information Systems Security Association (ISSA) Professional Contribution Award. Dr. Schultz has also provided expert testimony for the U.S. Senate.
Paul Serritella is a security architect at American International Group. He has worked extensively in the areas of secure application design, encryption, and network security. He received a BA from Princeton University in 1998.
Duane E. Sharp is president of SharpTech Associates, a Canadian company based in Mississauga, Ontario, that specializes in the communication of technology. An electronics engineer with more than 25 years of experience in the technology sector, he has authored numerous articles for clients in information technology and form Auerbach publications, as well as a handbook on interactive computer terminals, and most recently, an Auerbach handbook on CRM entitled Customer Relationship Management Systems Handbook.
Ken M. Shaurette, CISSP, CISA, CISM, IAM, is an Information Security Solutions Manager for Omni Tech Corporation in Pewaukee, Wisconsin. With over 25 total years of IT experience, Ken has provided information security and audit advice and vision for companies building information security programs for over 18 of those years. Ken is the President of the Western Wisconsin Chapter of InfraGard, President of ISSA–Milwaukee Chapter (International Systems Security Association), a member of the Wisconsin Association of Computer Crime Investigators (WACCI), a participant in the Cyber Security Alliance (www.staysafeonline.info), co-chair or the HIPAA–COW (Collaborative of Wisconsin) Security Workgroup, and co-chair of the annual Wisconsin InfraGard KIS (Kids Improving Security) Poster Contest. 
Sanford Sherizen, Ph.D., CISSP, is President of Data Security Systems, Inc. in Natick, Massachusetts. He can be reach at sherizen@ziplink.net.
Brian Shorten, CISSP, CISA, has been involved in information security since 1986, working in financial institutions and telecommunications companies. He has held positions as data protection officer and business continuity manager. A member of the ISACA, the British Computer Society, and the Business Continuity Institute, he writes and presents on various aspect of information security and business continuity.
Carol A. Siegel is the chief security officer of American International Group. Siegel is a well-known expert in the field of information security and has been in the field for more than ten years. She holds a BS in systems engineering from Boston University, an MBA in computer applications from New York University, and is a CISA. She can be reached at carol.siegel@aig.com.
Valene Skerpac, CISSP, is past chairman of the IEEE Communications Society. Over the past 20 years, she has held positions at IBM and entrepreneurial security companies. Valene is currently president of iBiometrics, Inc.
Ed Skoudis, CISSP, is a consultant at International Network Systems (INS). His expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. He has performed numerous security assessments, designed secure network architectures, and responded to computer attacks for clients in the financial, high-technology, healthcare, and other industries. A frequent speaker on issues associated with hacker tools and defenses, he has published several articles on these topics, as well as the books, Malware (2003) and Counter Hack (2001). He is the author of the popular Crack the Hacker Challenge series, which challenges InfoSec Professionals to learn from others' mistakes. Additionally, he conducted a demonstration of hacker techniques against financial institutions for the United States Senate. His prior work experience includes Bell Communications Research (Bellcore) and SAIC. Ed received his Master's Degree in Information Networking at Carnegie Mellon University. Ed Skoudis is the vice president of security strategy for Predictive Systems’ Global Integrity consulting practice. His expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. Skoudis is a frequent speaker on issues associated with hacker tools and defenses. He has published the book Counter Hack (Prentice Hall) and the
interactive CD-ROM, Hack–Counter Hack.
Robert M. Slade, CISSP, is a data communications and security specialist from North Vancouver, British Columbia, Canada. He has both formal training in data communications and exploration with the BBS and network community, and has done communications training for a number of the international commercial seminar firms. He is the author of "Robert Slade's Guide to Computer Viruses. He has a B.Sc. from the University of BC, and a MS from the University of Oregon. He is the founder of the DECUS Canada Education and Training SIG.
William Stackpole, CISSP, is a senior consultant, Trustworthy Computing Services, for Microsoft Corporation. He was a senior security consultant with Olympic Resource Management in Poulsbo, Washington. Steve Stanek is a Chicago-based writer specializing in technology issues.
Christopher Steinke, CISSP, Information Security Consulting Staff Member, Lucent World Wide Services, Dallas, Texas
Alan B. Sterneckert, CISA, CISSP, CFE, CCCI, is the owner and general manager of Risk Management Associates located in Salt Lake City, Utah. A retired Special Agent, Federal Bureau of Investigation, Mr. Sterneckert is a professional specializing in risk management, IT system security, and systems auditing. In 2003, Mr. Sterneckert will complete a book about critical incident management, published by Auerbach. Per Thorsheim is a Senior Consultant with PricewaterhouseCoopers in Bergen, Norway
James S. Tiller, CISSP, Chief Security Officer for International Network Services, manages the development, delivery, and sales of security services worldwide. Jim has spent much of his 15 year career providing secure solutions for organizations throughout North America and Europe. He is author of A Technical Guide to IPSec Virtual Private Networks (Auerbach Publications, 2000) and The Ethical Hack: A Business Value Framework for Penetration Testing (Auerbach Publications, 2004), and holds four patents detailing successful security models and architecture.
Harold F. Tipton, CISSP, currently an independent consultant and Past-President of the International Information System Security Certification Consortium, was Director of Computer Security for Rockwell International Corporation for 15 years. He initiated the Rockwell computer and data security program in 1977 and then continued to administer, develop, enhance and expand the program to accommodate the control needs produced by technological advances until his retirement from Rockwell in 1994.
He has been a member of the Information Systems Security Association (ISSA) since 1982, was president of the Los Angeles Chapter in 1984, and president of the national organization of ISSA (1987–1989). He was added to the ISSA Hall of Fame and the ISSA Honor Role in 2000. He received the Computer Security Institute “Lifetime Achievement Award” in 1994 and the (ISC)2 “Hal Tipton Award” in 2001. He was a member of the National Institute for Standards and Technology (NIST) Computer and Telecommunications Security Council and the National Research Council Secure Systems Study Committee (for the National Academy of Science). He has a BS in engineering from the U.S. Naval Academy, an MA in Personnel Administration from George Washington University, and a Certificate in Computer Science from the University of California at Irvine. He has published several papers on information security issues in the Information Security Management Handbook, Data Security Management, Information Systems Security, and the National Academy of Sciences report, Computers
at Risk. He has been a speaker at all of the major information security conferences including: Computer Security Institute, the ISSA Annual Working Conference, the Computer Security Workshop, MIS Conferences, AIS Security for Space Operations, DOE Computer Security Conference, National Computer Security Conference, IIA Security Conference, EDPAA, UCCEL Security & Audit Users Conference, and Industrial Security Awareness Conference. He has conducted and participated in information security seminars for (ISC)2, Frost & Sullivan, UCI, CSULB, System Exchange Seminars and the Institute for International Research. He is currently serving as editor of Data Security Management and the Information Security Management Handbook.
William Tompkins, CISSP, CBCP, is a System Analyst with the Texas Parks and Wildlife Department in Austin, Texas.
James Trulove has more than 25 years of experience in data networking with companies such as Lucent, Ascend, AT&T, Motorola, and Intel. He has a background in designing, configuring, and implementing multimedia communications systems for local and wide area networks, using a variety of technologies. He writes on networking topics and is the author of LAN Wiring, An Illustrated Guide to Network Cabling and A Guide to Fractional T1, the editor of Broadband Networking, as well the author of numerous articles on networking.
Michael Vangelos, CISSP, has over 23 years of IT experience, including 12 specializing in information security. He has managed the information security function at the Federal Reserve Bank of Cleveland for nine years and is currently the bank’s information security officer. He is responsible for security policy development, security administration, security awareness, vulnerability assessment, intrusion detection, and information security risk assessment, as well as incident response. He holds a degree in computer engineering from Case Western Reserve University.
Adriaan Veldhuisen is a senior data warehouse/privacy architect with Teradata, San Diego, California.
George Wade is a senior manager with Lucent Technologies in Murray Hill, New Jersey.
Thomas Welch, CISSP, CPP, has over seventeen years in the information systems business, ten of which he designed and developed public safety-related applications. He served as a private investigator and information security consultant since 1988. He was actively engaged in consulting projects, which included security assessments, secure architecture design, security training, high-tech crime investigations and computer forensics. Mr. Welch is an author and frequent lecturer on computer security topics, including computer crime investigation/computer forensics.
Jaymes Williams, CISSP, is a security analyst for the PG&E National Energy Group and is currently the chapter secretary of the Portland, Oregon Chapter of ISSA. He has held security positions at other companies and served eight years in information security-related positions in the U.S. Air Force. The author’s proceeds from this chapter will be donated to the Twin Towers fund to benefit those affected by the disaster of September 11, 2001.
Anna Wilson, CISSP, CISA, is a principal consultant with Arqana Technologies, Inc., in Toronto, Ontario.
James M. Wolfe, MSM, is the senior virus researcher and primary technical contact for the Lockheed Enterprise Virus Management Group at Lockheed Martin Corporation. He is a member of the European Institute of Computer Antivirus Researchers (EICAR), the EICAR Antivirus Enhancement Program, the Antivirus Information Exchange Network, Infragard, and is a reporter for the WildList Organization. He has a BS in management information systems and an MS in change management from the University of Central Florida.
John O. Wylder, CISSP, has an extensive background in information technology and the financial services industry. Most recently, he has worked in the field of information security as a consultant. John writes on various topics for a wide variety of publications. John is very active in the business community working, with organizations such as Infragard, and is part of the advisory board of the Georgia Tech School of Economics. John is a graduate of Georgia Tech and has an MBA in finance from Mercer University. He is the author of Strategic Information Security (Auerbach Publications, 2003).
Brett Regan Young, CISSP, CBCP, MCSE, and CNE, is Director, Security and Business Continuity Services for Detek Computer Services, Inc., in Houston, Texas. Brett’s background includes several years as an independent consultant in the information security and business continuity arenas, primarily for Houston-area companies. Prior to his work as a consultant, he managed the international network of a major oil and gas firm. Brett has also held various positions in the natural gas production, control, and processing environment. Brett has project management experience in the petroleum, banking and insurance industries. He is a frequent contributor to several trade magazines as well as Texas newspapers on the subjects of risk management, security architecture, and business continuity planning and recovery.


Screenshot

E-books shop screenshot

Purchase Now !
Just with Paypal



Product details
 Price
 File Size
 43,875 KB
 Pages
  3206 p
 File Type
  PDF format
 ISBN
 0-8493-1997-8
 Copyright
 2004 by CRC Press LLC  


Table of Contents

Contributors
Introduction
1 ACCESS CONTROL SYSTEMS AND METHODOLOGY
Section 1.1 Access Control Techniques
Enhancing Security through Biometric Technology
Stephen D. Fried, CISSP
Biometrics: What is New?
Judith M. Myerson
It is All About Control
Chris Hare, CISSP, CISA
Controlling FTP: Providing Secured Data Transfers
Chris Hare, CISSP, CISA
Section 1.2 Access Control Administration
Types of Information Security Controls
Harold F. Tipton
When Technology and Privacy Collide
Edward H. Freeman
Privacy in the Healthcare Industry
Kate Borten, CISSP
The Case for Privacy
Michael J. Corby, CISSP
Section 1.3 Identification and Authentication Techniques
Biometric Identification
Donald R. Richards, CPP
Single Sign-On for the Enterprise
Ross A. Leo, CISSP
Single Sign-On
Ross A. Leo, CISSP
Section 1.4 Access Control Methodologies and Implementation
Relational Data Base Access Controls Using SQL
Ravi S. Sandhu
Centralized Authentication Services (RADIUS, TACACS, DIAMETER)
William Stackpole, CISSP
Implementation of Access Controls
Stanley Kurzban
An Introduction to Secure Remote Access
Christina M. Bird, Ph.D., CISSP
Section 1.5 Methods of Attack
Hacker Tools and Techniques
Ed Skoudis, CISSP
A New Breed of Hacker Tools and Defenses
Ed Skoudis, CISSP
Social Engineering: The Forgotten Risk
John Berti, CISSP and Marcus Rogers, Ph.D., CISSP
Breaking News: The Latest Hacker Attacks and Defenses
Ed Skoudis, CISSP
Counter-Economic Espionage
Craig A. Schiller, CISSP
Section 1.6 Monitoring and Penetration Testing
Penetration Testing
Stephen D. Fried, CISSP
The Self-Hack Audit
Stephen James
Penetration Testing
Chuck Bianco, FTTR, CISA, CISSP
2 TELECOMMUNICATIONS, NETWORK, AND INTERNET SECURITY
Section 2.1 Communications and Network Security
Understanding SSL
Chris Hare, CISSP, CISA
Packet Sniffers and Network Monitors
James S. Tiller, CISA, CISSP and Bryan D. Fish, CISSP
Secured Connections to External Networks
Steven F. Blanding
Security and Network Technologies
Chris Hare, CISSP, CISA
Wired and Wireless Physical Layer Security Issues
James Trulove
Network Router Security
Steven F. Blanding
Dial-Up Security Controls
Alan Berman and Jeffrey L. Ott
What’s Not So Simple about SNMP?
Chris Hare, CISSP, CISA
Network and Telecommunications Media: Security from the Ground Up
Samuel Chun, CISSP
Security and the Physical Network Layer
Matthew J. Decker, CISSP, CISA, CBCP
Security of Wireless Local Area Networks
Franjo Majstor, CISSP
Securing Wireless Networks
Sandeep Dhameja, CISSP
Wireless Security Mayhem: Restraining the Insanity of Convenience
Mark T. Chapman, MSCS, CISSP, IAM
Wireless LAN Security Challenge
Frandinata Halim, CISSP, CCSP, CCDA, CCNA, MSCE and Gildas Deograt, CISSP
An Introduction to LAN/WAN Security
Steven F. Blanding
ISO/OSI and TCP/IP Network Model Characteristics
George G. McBride, CISSP
Integrity and Security of ATM
Steve Blanding
Section 2.2 Internet/Intranet/Extranet
Enclaves: The Enterprise as an Extranet
Bryan T. Koch, CISSP
IPSec Virtual Private Networks
James S. Tiller, CISA, CISSP
Firewalls: An Effective Solution for Internet Security
E. Eugene Schultz, Ph.D., CISSP
Internet Security: Securing the Perimeter
Douglas G. Conorich
Extranet Access Control Issues
Christopher King, CISSP
Network Layer Security
Steven F. Blanding
Transport Layer Security
Steven F. Blanding
Application-Layer Security Protocols for Networks
William Stackpole, CISSP
Application Layer: Next Level of Security
Keith Pasley, CISSP
Security of Communication Protocols and Services
William Hugh Murray, CISSP
Security Management of the World Wide Web
Lynda L. McGhie and Phillip Q. Maier
An Introduction to IPSec
William Stackpole, CISSP
Wireless Internet Security
Dennis Seymour Lee
VPN Deployment and Evaluation Strategy
Keith Pasley, CISSP
How to Perform a Security Review of a Checkpoint Firewall
Ben Rothke, CISSP
Comparing Firewall Technologies
Per Thorsheim
The (In) Security of Virtual Private Networks
James S. Tiller, CISA, CISSP
Cookies and Web Bugs
William T. Harding, Ph.D., Anita J. Reed, CPA, and Robert L. Gray, Ph.D.
Leveraging Virtual Private Networks
James S. Tiller, CISA, CISSP
Wireless LAN Security
Mandy Andress, CISSP, SSCP, CPA, CISA
Expanding Internet Support with IPv6
Gilbert Held
Virtual Private Networks: Secure Remote Access Over the Internet
John R. Vacca
Applets and Network Security: A Management Overview
Al Berg
Security for Broadband Internet Access Users
James Trulove
New Perspectives on VPNs
Keith Pasley, CISSP
An Examination of Firewall Architectures
Paul A. Henry, CISSP, CNE
Deploying Host-Based Firewalls across the Enterprise: A Case Study
Jeffery Lowder, CISSP
Section 2.3 E-mail Security
Instant Messaging Security Issues
William Hugh Murray, CISSP
Email Security
Bruce A. Lobree
Email Security
Clay Randall
Protecting Against Dial-In Hazards: Email and Data Communications
Leo A. Wrobel
Section 2.4 Secure Voice Communications
Protecting Against Dial-In Hazards: Voice Systems
Leo A. Wrobel
Voice Security
Chris Hare, CISSP, CISA
Secure Voice Communications (VoI)
Valene Skerpac, CISSP
Section 2.5 Network Attacks and Countermeasures
Preventing DNS Attacks
Mark Bell
Preventing a Network from Spoofing and Denial of Service Attacks
Gilbert Held
Packet Sniffers: Use and Misuse
Steve A. Rodgers, CISSP
ISPs and Denial-of-Service Attacks
K. Narayanaswamy, Ph.D.
3 INFORMATION SECURITY MANAGEMENT
Section 3.1 Security Management Concepts and Principles
Measuring ROI on Security
Carl F. Endorf, CISSP, SSCP, GSEC
Security Patch Management
Jeffrey Davis, CISSP
Purposes of Information Security Management
Harold F. Tipton
The Building Blocks of Information Security
Ken M. Shaurette
The Human Side of Information Security
Kevin Henry, CISA, CISSP
Security Management
Ken Buszta, CISSP
Securing New Information Technology
Louis Fried
E-mail Security Using Pretty Good Privacy
William Stallings
Section 3.2 Change Control Management
Configuration Management: Charting the Course for the Organization
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
Section 3.3 Data Classification
Information Classification: A Corporate Implementation Guide
Jim Appleyard
Section 3.4 Risk Management
A Matter of Trust
Ray Kaplan, CISSP, CISA, CISM
Trust Governance in a Web Services World
Daniel D. Houser, CISSP, MBA, e-Biz+
Risk Management and Analysis
Kevin Henry, CISA, CISSP
New Trends in Information Risk Management
Brett Regan Young, CISSP, CBCP
Information Security in the Enterprise
Duane E. Sharp
Managing Enterprise Security Information
Matunda Nyanchama, Ph.D., CISSP and Anna Wilson, CISSP, CISA
Risk Analysis and Assessment
Will Ozier
Managing Risk in an Intranet Environment
Ralph L. Kliem
Security Assessment
Sudhanshu Kairab, CISSP, CISA
Evaluating the Security Posture of an Information Technology Environment:
The Challenges of Balancing Risk, Cost, and Frequency of Evaluating Safeguards
Brian R. Schultz, CISSP, CISA
Cyber-Risk Management: Technical and Insurance Controls for Enterprise-Level Security
Carol A. Siegel, Ty R. Sagalow, and Paul Serritella
Section 3.5 Employment Policies and Practices
A Progress Report on the CVE Initiative
Robert Martin, Steven Christey, and David Baker
Roles and Responsibilities of the Information Systems Security Officer
Carl Burney, CISSP
Information Protection: Organization, Roles, and Separation of Duties
Rebecca Herold, CISSP, CISA, FLMI
Organizing for Success: Some Human Resources Issues in Information Security
Jeffrey H. Fenton, CBCP, CISSP and James M. Wolfe, MSM
Ownership and Custody of Data
William Hugh Murray, CISSP
Hiring Ex-Criminal Hackers
Ed Skoudis, CISSP
Information Security and Personnel Practices
Edward H. Freeman
Section 3.6 Risk Management
Information Security Policies from the Ground Up
Brian Shorten, CISSP, CISA
Policy Development
Chris Hare, CISSP, CISA
Risk Analysis and Assessment
Will Ozier
Server Security Policies
Jon David
Toward Enforcing Security Policy: Encouraging Personal Accountability for
Corporate Information Security Policy
John O. Wylder, CISSP
The Common Criteria for IT Security Evaluation
Debra S. Herrmann
A Look at the Common Criteria
Ben Rothke, CISSP
The Security Policy Life Cycle: Functions and Responsibilities
Patrick D. Howard, CISSP
Section 3.7 Security Awareness Training
Security Awareness Program
Tom Peltier
Maintaining Management’s Commitment
William Tompkins, CISSP, CBCP
Making Security Awareness Happen
Susan D. Hansche, CISSP
Making Security Awareness Happen: Appendices
Susan D. Hansche, CISSP
Section 3.8 Security Management Planning
Maintaining Information Security during Downsizing
Thomas J. Bray, CISSP
The Business Case for Information Security: Selling Management on the
Protection of Vital Secrets and Products
Sanford Sherizen, Ph.D., CISSP
Information Security Management in the Healthcare Industry
Micki Krause
Protecting High-Tech Trade Secrets
William C. Boni
How to Work with a Managed Security Service Provider
Laurie Hill McQuillan, CISSP
Considerations for Outsourcing Security
Michael J. Corby, CISSP
Outsourcing Security
James S. Tiller, CISA, CISSP
4 APPLICATION PROGRAM SECURITY
Section 4.1 APPLICATION ISSUES
Security Models for Object-Oriented Databases
James Cannady
Web Application Security
Mandy Andress, CISSP, SSCP, CPA, CISA
The Perfect Security: A New World Order
Ken Shaurette
Security for XML and Other Metadata Languages
William Hugh Murray, CISSP
XML and Information Security
Samuel C. McClintock
Testing Object-Based Applications
Polly Perryman Kuver
Secure and Managed Object-Oriented Programming
Louis B. Fried
Application Service Providers
Andres Llana Jr.
Application Security
Walter S. Kobus, Jr., CISSP
Covert Channels
Anton Chuvakin, Ph.D., GCIA, GCIH
Security as a Value Enhancer in Application Systems Development
Lowell Bruce McCulley, CISSP
Open Source versus Closed Source
Ed Skoudis, CISSP
PeopleSoft Security
Satnam Purewal
World Wide Web Application Security
Sean Scanlon
Section 4.2 Databases and Data Warehousing
Reflections on Database Integrity
William Hugh Murray, CISSP
Datamarts and Data Warehouses: Keys to the Future or Keys to the Kingdom?
M. E. Krehnke and D. K. Bradley
Digital Signatures in Relational Database Applications
Mike R. Prevost
Security and Privacy for Data Warehouses: Opportunity or Threat?
David Bonewell, CISSP, CISA, Karen Gibbs, and Adriaan Veldhuisen
Relational Database Security: Availability, Integrity, and Confidentiality
Ravi S. Sandhu and Sushil Jojodia
Section 4.3 Systems Development Controls
Enterprise Security Architecture
William Hugh Murray, CISSP
Certification and Accreditation Methodology
Mollie E. Krehnke, CISSP, IAM and David C. Krehnke, CISSP, CISM, IAM
A Framework for Certification Testing
Kevin J. Davidson, CISSP
System Development Security Methodology
Ian Lim, CISSP and Ioana V. Carastan, CISSP
A Security-Oriented Extension of the Object Model for the Development of an
Information System
Sureerut Inmor, Vatcharaporn Esichaikul, and Dencho N. Batanov
Methods of Auditing Applications
David C. Rice, CISSP and Graham Bucholz
Section 4.4 Malicious Code
Malware and Computer Viruses
Robert M. Slade, CISSP
An Introduction to Hostile Code and It’s Control
Jay Heiser
A Look at Java Security
Ben Rothke, CISSP
Section 4.5 Methods of Attack
The RAID Advantage
Tyson Heyn
Malicious Code: The Threat, Detection, and Protection
Ralph Hoefelmeyer, CISSP and Theresa E. Phillips, CISSP
5 CRYPTOGRAPHY
Section 5.1 Use of Cryptography
Three New Models for the Application of Cryptography
Jay Heiser, CISSP
Auditing Cryptography: Assessing System Security
Steve Stanek
Section 5.2 Cryptographic Concepts, Methodologies, and Practices
Message Authentication
James S. Tiller, CISA, CISSP
Fundamentals of Cryptography and Encryption
Ronald A. Gove
Steganography: The Art of Hiding Messages
Mark Edmead, CISSP, SSCP, TICSA
An Introduction to Cryptography
Javek Ikbel, CISSP
Hash Algorithms: From Message Digests to Signatures
Keith Pasley, CISSP
A Look at the Advanced Encryption Standard (AES)
Ben Rothke, CISSP
Introduction to Encryption
Jay Heiser
Section 5.3 Private Key Algorithms
Principles and Applications of Cryptographic Key
Management
William Hugh Murray, CISSP
Section 5.4 Public Key Infrastructure (PKI)
Getting Started with PKI
Harry DeMaio
Mitigating E-Business Security Risks: Public Key Infrastructures in the Real World
Douglas C. Merrill and Eran Feigenbaum
Preserving Public Key Hierarchy
Geoffrey C. Grabow, CISSP
PKI Registration
Alex Golod, CISSP
Section 5.5 System Architecture for Implementing Cryptographic Functions
Implementing Kerberos in Distributed Systems
Joe Kovara, CTP and Ray Kaplan, CISSP, CISA, CISM
Section 5.6 Methods of Attack
Methods of Attacking and Defending Cryptosystems
Joost Houwen, CISSP
6 ENTERPRISE SECURITY ARCHITECTURE
Section 6.1 Principles of Computer and Network Organizations, Architectures, and Designs
Security Infrastructure: Basics of Intrusion Detection Systems
Ken M. Shaurette, CISSP, CISA, NSA, IAM
Systems Integrity Engineering
Don Evans
Introduction to UNIX Security for Security Practitioners
Jeffery J. Lowder
Enterprise Security Architecture
William Hugh Murray
Microcomputer and LAN Security
Stephen Cobb
Reflections on Database Integrity
William Hugh Murray
Firewalls, 10 Percent of the Solution: A Security Architecture Primer
Chris Hare, CISSP, CISA
The Reality of Virtual Computing
Chris Hare, CISSP, CISA
Overcoming Wireless LAN Security Vulnerabilities
Gilbert Held
Section 6.2 Principles of Security Models, Architectures and
Evaluation Criteria
Formulating an Enterprise Information Security Architecture
Mollie Krehnke, CISSP, IAM and David Krehnke,CISSP, CISM, IAM
Security Architecture and Models
Foster J. Henderson, CISSP, MCSE and Kellina M. Craig-Henderson, Ph.D.
Security Models for Object-Oriented Data Bases
James Cannady
Section 6.3 Common Flaws and Security Issues — System
Architecture and Design
Common System Design Flaws and Security Issues
William Hugh Murray, CISSP
7 OPERATIONS SECURITY
Section 7.1 Concepts
Operations: The Center of Support and Control
Kevin Henry, CISA, CISSP
Why Today’s Security Technologies Are So Inadequate: History, Implications,
and New Approaches
Steven Hofmeyr, Ph.D.
Information Warfare and the Information Systems Security Professional
Jerry Kovacich
Steps for Providing Microcomputer Security
Douglas B. Hoyt
Protecting the Portable Computing Environment
Phillip Q. Maier
Operations Security and Controls
Patricia A.P. Fisher
Data Center Security: Useful Intranet Security Methods and Tools
John R. Vacca
Section 7.2 Resource Protection Requirements
Physical Access Control
Dan M. Bowers, CISSP
Software Piracy: Issues and Prevention
Roxanne E. Burkey
Section 7.3 Auditing
Auditing the Electronic Commerce Environment
Chris Hare, CISSP, CISA
Section 7.4 Intrusion Detection
Improving Network-Level Security through Real-Time Monitoring and
Intrusion Detection
Chris Hare, CISSP, CISA
Intelligent Intrusion Analysis: How Thinking Machines Can
Recognize Computer Intrusions
Bryan D. Fish, CISSP
How to Trap the Network Intruder
Jeff Flynn
Intrusion Detection: How to Utilize a Still Immature Technology
E. Eugene Schultz and Eugene Spafford
Section 7.5 Operations Controls
Directory Security
Ken Buszta, CISSP
8 BUSINESS CONTINUITY PLANNING
Section 8.1 Business Continuity Planning
Reengineering the Business Continuity Planning Process
Carl B. Jackson, CISSP, CBCP
The Role of Continuity Planning in the Enterprise Risk
Management Structure
Carl B. Jackson, CISSP, CBCP
Business Continuity in the Distributed Environment
Steven P. Craig
The Changing Face of Continuity Planning
Carl Jackson, CISSP, CDCP
Section 8.2 Disaster Recovery Planning
Restoration Component of Business Continuity Planning
John Dorf, ARM and Martin Johnson, CISSP
Business Resumption Planning and Disaster Recovery: A Case History
Kevin Henry, CISA, CISSP
Business Continuity Planning: A Collaborative Approach
Kevin Henry, CISA, CISSP
Section 8.3 Elements of Business Continuity Planning
The Business Impact Assessment Process
Carl B. Jackson, CISSP, CBCP
9 LAW, INVESTIGATION, AND ETHICS
Section 9.1 Information Law
Jurisdictional Issues in Global Transmissions
Ralph Spencer Poore, CISSP, CISA, CFE
Liability for Lax Computer Security in DDoS Attacks
Dorsey Morrow, JD, CISSP
The Final HIPAA Security Rule Is Here! Now What?
Todd Fitzgerald, CISSP, CISA
HIPAA 201: A Framework Approach to HIPAA Security Readiness
David MacLeod, Ph.D., CISSP, Brian Geffert, CISSP, CISA, and David Deckter, CISSP
Internet Gripe Sites: Bally v. Faber
Edward H. Freeman
State Control of Unsolicited E-mail: State of Washington v. Heckel
Edward H. Freeman
The Legal Issues of Disaster Recovery Planning
Tari Schreider
Section 9.2 Investigations
Computer Crime Investigations: Managing a Process without Any Golden Rules
George Wade, CISSP
Operational Forensics
Michael J. Corby, CISSP
Computer Crime Investigation and Computer Forensics
Thomas Welch, CISSP, CPP
What Happened?
Kelly J. Kuchta, CPP, CFE
Section 9.3 Major Categories of Computer Crime
The International Dimensions of Cybercrime
Ed Gabrys, CISSP
Computer Abuse Methods and Detection
Donn B. Parker
Section 9.4 Incident Handling
Honeypot Essentials
Anton Chuvakin, Ph.D., GCIA, GCIH
CIRT: Responding to Attack
Chris Hare, CISSP, CISA
Managing the Response to a Computer Security Incident
Michael Vangelos, CISSP
Cyber-Crime: Response, Investigation, and Prosecution
Thomas Akin, CISSP
Incident Response Exercises
Ken M. Shaurette, CISSP, CISA, CISM, IAM and Thomas J. Schleppenbach
Software Forensics
Robert M. Slade, CISSP
Reporting Security Breaches
James S. Tiller, CISSP
Incident Response Management
Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
Section 9.5 Ethics
Ethics and the Internet
Micki Krause, CISSP
Computer Ethics
Peter S. Tippett
10 PHYSICAL SECURITY
Section 10.1 Facility Requirements
Physical Security: A Foundation for Information Security
Christopher Steinke, CISSP
Physical Security: Controlled Access and Layered Defense
Bruce R. Mathews, CISSP
Computing Facility Physical Security
Alan Brusewitz, CISSP, CBCP
Closed Circuit Television and Video Surveillance
David Litzau, CISSP
Section 10.2 Technical Controls
Types of Information Security Controls
Harold F. Tipton, CISSP
Physical Security
Tom Peltier
Section 10.3 Environment and Life Safety
Physical Security: The Threat after September 11th, 2001
Jaymes Williams, CISSP
Glossary

  ●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●

═════ ═════

Tags:
Previous Post Next Post