Principles of Information Security, 7th Edition
By Michael E. Whitman and Herbert J. Mattord
Table of Contents:
Preface xi
Module 1
Introduction to Information
Security 1
Introduction To Information Security 2
The 1960s 3
The 1970s and ’80s 4
The 1990s 7
2000 to Present 7
What Is Security? 8
Key Information Security Concepts 9
Critical Characteristics of Information 11
CNSS Security Model 14
Components Of An Information System 15
Software 15
Hardware 15
Data 16
People 16
Procedures 16
Networks 17
Security And The Organization 17
Balancing Information Security and Access 17
Approaches to Information Security
Implementation 18
Security Professionals 19
Data Responsibilities 20
Communities of Interest 20
Information Security: Is It An Art Or
A Science? 21
Security as Art 21
Security as Science 21
Security as a Social Science 22
Module Summary 23
Review Questions 23
Exercises 24
References 24
Module 2
The Need for Information
Security 27
Introduction To The Need For
Information Security 28
Business Needs First 29
Information Security Threats And Attacks 30
4.8 Billion Potential Hackers 30
Other Studies of Threats 31
Common Attack Pattern Enumeration
and Classification (CAPEC) 33
The 12 Categories Of Threats 34
Compromises to Intellectual Property 34
Deviations in Quality of Service 37
Espionage or Trespass 39
Forces of Nature 47
Human Error or Failure 49
Information Extortion 54
Sabotage or Vandalism 56
Software Attacks 58
Technical Hardware Failures or Errors 66
Technical Software Failures or Errors 67
Technological Obsolescence 72
Theft 73
Module Summary 74
Review Questions 75
Exercises 76
References 76
Module 3
Information Security Management 81
Introduction to the Management
of Information Security 82
Planning 82
Policy 83
Programs 83
Protection 83
People 83
Projects 83
Information Security Planning
And Governance 84
Information Security Leadership 84
Information Security Governance Outcomes 86
Planning Levels 87
Planning and the CISO 87
Information Security Policy, Standards,
And Practices 88
Policy as the Foundation for Planning 88
Enterprise Information Security Policy 91
Issue-Specific Security Policy 91
Systems-Specific Security Policy (SysSP) 95
Developing and Implementing Effective
Security Policy 97
Policy Management 103
Security Education, Training,
And Awareness Program 104
Security Education 105
Security Training 106
Security Awareness 106
Information Security Blueprint,
Models, And Frameworks 107
The ISO 27000 Series 107
NIST Security Models 109
Other Sources of Security Frameworks 113
Design of the Security Architecture 113
Module Summary 118
Review Questions 118
Exercises 119
References 119
Module 4
Risk Management 121
Introduction To Risk Management 122
Sun Tzu and the Art of Risk Management 122
The Risk Management Framework 123
The Roles of the Communities of Interest 124
The RM Policy 125
Framework Design 126
Defining the Organization’s Risk Tolerance
and Risk Appetite 126
Framework Implementation 127
Framework Monitoring and Review 127
The Risk Management Process 128
RM Process Preparation—Establishing
the Context 129
Risk Assessment: Risk Identification 129
Risk Assessment: Risk Analysis 142
Risk Evaluation 149
Risk Treatment/Risk Response 152
Risk Mitigation 152
Risk Transference 153
Risk Acceptance 154
Risk Termination 155
Process Communications, Monitoring,
and Review 155
Mitigation and Risk 155
Managing Risk 157
Feasibility and Cost-Benefit Analysis 159
Alternative Risk Management
Methodologies 164
The OCTAVE Methods 164
FAIR 165
ISO Standards for InfoSec Risk
Management 166
NIST Risk Management Framework (RMF) 166
Selecting the Best Risk Management
Model 169
Module Summary 171
Review Questions 172
Exercises 172
References 174
Module 5
Incident Response and
Contingency Planning 175
Introduction To Incident Response
And Contingency Planning 176
Fundamentals Of Contingency
Planning 177
Components of Contingency Planning 179
Business Impact Analysis 180
Contingency Planning Policies 185
Incident Response 186
Getting Started 186
Incident Response Policy 187
Incident Response Planning 188
Detecting Incidents 191
Reacting to Incidents 193
Recovering from Incidents 195
Digital Forensics 200
The Digital Forensics Team 201
Affidavits and Search Warrants 201
Digital Forensics Methodology 201
Evidentiary Procedures 206
Disaster Recovery 206
The Disaster Recovery Process 207
Disaster Recovery Policy 208
Disaster Classification 209
Planning to Recover 209
Responding to the Disaster 211
Business Continuity 212
Business Continuity Policy 213
Business Resumption 213
Continuity Strategies 214
Timing and Sequence of CP Elements 215
Crisis Management 217
Testing Contingency Plans 217
Final Thoughts on CP 218
Module Summary 219
Review Questions 220
Exercises 221
References 221
Module 6
Legal, Ethical, and Professional
Issues in Information Security 223
Introduction To Law And Ethics In
Information Security 224
Organizational Liability and the Need for Counsel 224
Policy Versus Law 225
Types of Law 225
Relevant U.S. Laws 226
General Computer Crime Laws 226
Privacy 227
Identity Theft 234
Export and Espionage Laws 236
U.S. Copyright Law 237
Financial Reporting 237
Freedom of Information Act of 1966 238
Payment Card Industry Data Security
Standards (PCI DSS) 238
State and Local Regulations 239
International Laws And Legal Bodies 240
U.K. Computer Security Laws 240
Australian Computer Security Laws 240
Council of Europe Convention on Cybercrime 240
World Trade Organization and the
Agreement on Trade-Related Aspects of
Intellectual Property Rights 241
Digital Millennium Copyright Act 241
Ethics And Information Security 242
Ethical Differences Across Cultures 243
Ethics and Education 244
Deterring Unethical and Illegal Behavior 246
Codes Of Ethics Of Professional Organizations 247
Major IT and InfoSec Professional
Organizations 247
Key U.S. Federal Agencies 249
Department of Homeland Security 249
U.S. Secret Service 252
Federal Bureau of Investigation (FBI) 253
National Security Agency (NSA) 255
Module Summary 256
Review Questions 257
Exercises 257
References 258
Module 7
Security and Personnel 261
Introduction To Security And
Personnel 262
Positioning The Security Function 263
Staffing The Information Security
Function 264
Qualifications and Requirements 266
Entry into the Information Security
Profession 267
Information Security Positions 267
Credentials For Information Security
Professionals 273
(ISC)2 Certifications 273
ISACA Certifications 276
SANS Certifications 277
EC-Council Certifications 279
CompTIA Certifications 280
Cloud Security Certifications 281
Certification Costs 281
Advice for Information Security
Professionals 282
Employment Policies And Practices 283
Job Descriptions 284
Interviews 284
Background Checks 284
Employment Contracts 285
New Hire Orientation 285
On-the-Job Security Training 285
Evaluating Performance 286
Termination 286
Personnel Control Strategies 287
Privacy and the Security of Personnel Data 289
Security Considerations for Temporary
Employees, Consultants, and Other
Workers 289
Module Summary 291
Review Questions 292
Exercises 293
References 293
Module 8
Security Technology: Access Controls,
Firewalls, and VPNs 295
Introduction To Access Controls 296
Access Control Mechanisms 298
Biometrics 301
Access Control Architecture Models 304
Firewall Technologies 308
Firewall Processing Modes 309
Firewall Architectures 313
Selecting the Right Firewall 317
Configuring and Managing Firewalls 318
Content Filters 324
Protecting Remote Connections 325
Remote Access 325
Virtual Private Networks (VPNs) 329
Final Thoughts On Remote Access And
Access Controls 331
Deperimeterization 331
Remote Access in the Age of COVID-19 332
Module Summary 333
Review Questions 333
Exercises 334
References 334
Module 9
Security Technology: Intrusion
Detection and Prevention Systems
and Other Security Tools 337
Introduction To Intrusion Detection And
Prevention Systems 338
IDPS Terminology 339
Why Use an IDPS? 340
Types of IDPSs 342
IDPS Detection Methods 350
Log File Monitors 351
Security Information and Event Management (SIEM) 351
IDPS Response Behavior 354
Selecting IDPS Approaches and Products 356
Strengths and Limitations of IDPSs 360
Deployment and Implementation of an IDPS 361
Measuring the Effectiveness of IDPSs 365
Honeypots, Honeynets, And Padded
Cell Systems 367
Trap-and-Trace Systems 368
Active Intrusion Prevention 369
Scanning And Analysis Tools 370
Port Scanners 372
Firewall Analysis Tools 373
Operating System Detection Tools 373
Vulnerability Scanners 374
Packet Sniffers 377
Wireless Security Tools 378
Module Summary 380
Review Questions 381
Exercises 381
References 381
Module 10
Cryptography 383
Introduction To Cryptography 384
The History of Cryptology 384
Key Cryptology Terms 385
Encryption Methods 386
Substitution Cipher 387
Transposition Cipher 390
Exclusive OR 391
Vernam Cipher 392
Book-Based Ciphers 393
Hash Functions 394
Cryptographic Algorithms 396
Symmetric Encryption 396
Asymmetric Encryption 397
Encryption Key Size 398
Cryptographic Tools 400
Public Key Infrastructure (PKI) 400
Digital Signatures 401
Digital Certificates 402
Hybrid Cryptography Systems 403
Steganography 404
Protocols For Secure Communications 405
Securing Internet Communication with HTTPS and SSL 405
Securing E-Mail with S/MIME, PEM, and PGP 406
Securing Web Transactions with SET, SSL, and HTTPS 407
Securing Wireless Networks with WPA and RSN 408
Securing TCP/IP with IPSec and PGP 410
Module Summary 413
Review Questions 414
Exercises 415
References 415
Module 11
Implementing Information Security 417
Introduction To Information Security
Implementation 418
The Systems Development Life Cycle 419
Traditional Development Methods 419
Software Assurance 421
The NIST Approach to Securing the SDLC 423
Information Security Project
Management 428
Developing the Project Plan 429
Project Planning Considerations 432
The Need for Project Management 434
Security Project Management Certifications 436
Technical Aspects Of Implementation 437
Conversion Strategies 437
The Bull’s-Eye Model 438
To Outsource or Not 439
Technology Governance and Change Control 440
The Center for Internet Security’s Critical
Security Controls 440
Nontechnical Aspects Of
Implementation 441
The Culture of Change Management 442
Considerations for Organizational Change 442
Module Summary 444
Review Questions 445
Exercises 446
References 446
Module 12
Information Security
Maintenance 447
Introduction To Information Security
Maintenance 448
Security Management Maintenance Models 449
NIST SP 800-100, “Information Security
Handbook: A Guide for Managers” 449
The Security Maintenance Model 470
Monitoring the External Environment 470
Monitoring the Internal Environment 474
Planning and Risk Assessment 476
Vulnerability Assessment and Remediation 481
Readiness and Review 489
Physical Security 490
Physical Access Controls 491
Physical Security Controls 491
Fire Security and Safety 494
Failure of Supporting Utilities and Structural Collapse 494
Heating, Ventilation, and Air Conditioning 494
Power Management and Conditioning 495
Interception of Data 496
Securing Mobile and Portable Systems 496
Special Considerations for Physical Security 498
Module Summary 500
Review Questions 501
Exercises 502
References 502
Glossary 505
Index 527