信息安全原理 影印本【2025|PDF下载-Epub版本|mobi电子书|kindle百度云盘下载】

信息安全原理 影印本PDF格式电子书版下载

注意：本站所有压缩包均有解压码： 点击下载压缩包解压工具

Table of Contents1

Chapter 1 Introduction to Information Security1

Introduction3

The History of Information Security4

The 1960s5

The 1970s and 80s6

The 1990s8

The Present9

What Is Security?9

What Is Information Security?10

Critical Characteristics of Information10

Authenticity11

Accuracy11

Availability11

Confidentiality12

Integrity13

Utility14

Possession14

NSTISSC Security Model15

Components of an Information System15

Software16

Hardware16

Data17

People17

Procedures17

Securing the Components18

Balancing Security and Access19

Top-Down Approach to Security Implementation20

The Systems Development Life Cycle21

Methodology21

Phases21

Investigation22

Analysis23

Logical Design23

Physical Design23

Implementation23

Analysis24

Investigation24

The Security Systems Development Life Cycle24

Maintenance and Change24

Logical Design25

Physical Design25

Implementation25

Maintenance and Change26

Key Terms28

Security Professionals and the Organization30

Senior Management30

Security Project Team32

Data Ownership32

Organizational Management and Professionals33

Information Technology Management and Professionals33

Information Security Management and Professionals33

Communities of Interest33

Information Security:Is It an Art or a Science?34

Security as Art34

Security as Science34

Security as a Social Science35

Chapter Summary35

Review Questions36

Exercises37

Case Exercises37

Chapter 2 The Need for Security41

Business Needs First,Technology Needs Last43

Protecting the Ability of the Organization to Function43

Introduction43

Enabling the Safe Operation of Applications44

Protecting Data that Organizations Collect and Use44

Safeguarding Technology Assets in Organizations44

Threats45

Threat Group 1:Inadvertent Acts46

Threat Group 2:Deliberate Acts49

Threat Group 3:Acts of God64

Threat Group 4:Technical Failures66

Threat Group 5:Management Failures67

Attacks68

Malicious Code68

Brute Force69

Password Crack69

Hoaxes69

Back Doors69

Dictionary70

Denial-of-Service(DoS)and Distributed Denial-of-Service(DDoS)70

Spoofing71

Man-in-the-Middle71

Spam72

Mail bombing72

Sniffers72

Social Engineering73

Buffer Overflow74

Review Questions75

Chapter Summary75

Timing Attack75

Case Exercises77

Chapter 3 Legal,Ethical and Professional Issues in Information Security83

Introduction84

Law and Ethics in Information Security85

Types Of Law85

Relevant U.S.Laws85

General Computer Crime Laws86

Privacy86

Export and Espionage Laws91

U.S.Copyright Law92

International Laws and Legal Bodies94

European Council Cyber-Crime Convention95

Digital Millennium Copyright Act(DMCA)96

United Nations Charter96

Policy Versus Law97

Ethical Concepts in Information Security97

Cultural Differences in Ethical Concepts97

Software License Infringement98

Illicit Use99

Misuse of Corporate Resources99

Ethics and Education102

Deterrence to Unethical and Illegal Behavior102

Codes of Ethics,Certifications,and Professional Organizations103

Other Security Organizations109

Key U.S.Federal Agencies111

Organizational Liability and the Need for Counsel114

Chapter Summary114

Review Questions115

Exercises116

Case Exercises116

Chapter 4 Risk Management:Identifying and Assessing Risk121

Introduction122

Chapter Organization123

Risk Management124

Know the Enemy125

All Communities of Interest are Accountable125

Know Yourself125

Integrating Risk Management into the SecSDLC126

Risk Identification127

Asset Identification and Valuation127

Automated Risk Management Tools131

Information Asset Classification131

Information Asset Valuation132

Listing Assets in Order of Importance134

Data Classification and Management135

Security Clearances137

Management of Classified Data137

Identify And Prioritize Threats and Threat Agents139

Threat Identification139

Vulnerability Identification143

Risk Assessment145

Introduction to Risk Assessment145

Likelihood145

Valuation of Information Assets146

Percentage of Risk Mitigated by Current Controls147

Risk Determination147

Identify Possible Controls147

Access Controls148

Documenting Results of Risk Assessment150

Chapter Summary151

Review Questions153

Case Exercises154

Exercises154

Chapter 5 Risk Management:Assessing and Controlling Risk158

Introduction159

Risk Control Strategies160

Avoidance161

Transference163

Mitigation164

Acceptance166

Risk Mitigation Strategy Selection167

Evaluation,Assessment,and Maintenance of Risk Controls168

Control Function169

Architectural Layer169

Categories of Controls169

Strategy Layer170

Information Security Principles170

Feasibility Studies171

Cost Benefit Analysis(CBA)171

Other Feasibility Studies183

Risk Management Discussion Points185

Risk Appetite185

Residual Risk186

Documenting Results187

Recommended Practices in Controlling Risk187

Delphi Technique188

Risk Management and the SecSDLC188

Qualitative Measures188

Chapter Summary189

Review Questions190

Exercises191

Case Exercises193

Chapter 6 Blueprint For Security198

Introduction199

Information Security Policy,Standards,and Practices199

Definitions201

Security Program Policy(SPP)202

Issue-Specific Security Policy(ISSP)203

Systems-Specific Policy(SysSP)206

Policy Management210

Information Classification212

Systems Design213

Information Security Blueprints215

ISO 17799/BS 7799215

NIST Security Models217

NIST Special Publication SP 800-12217

NIST Special Publication 800-14218

IETF Security Architecture222

VISA International Security Model222

Baselining and Best Business Practices223

Hybrid Framework for a Blueprint of an Information Security System224

Security Education,Training,and Awareness Program227

Security Education228

Security Awareness229

Security Training229

Design of Security Architecture230

Defense in Depth230

Security Perimeter231

Key Technology Components231

Chapter Summary234

Review Questions236

Exercises237

Case Exercises237

Chapter 7 Planning for Continuity241

Introduction242

Continuity Strategy243

Business Impact Analysis246

Threat Attack Identification and Prioritization247

Business Unit Analysis247

Attack Success Scenario Development248

Potential Damage Assessment248

Subordinate Plan Classification248

Incident Response Planning249

Incident Planning250

Incident Detection253

When Does an Incident Become a Disaster?256

Incident Reaction256

Notification of Key Personnel256

Incident Containment Strategies257

Documenting an Incident257

Incident Recovery259

Prioritization of Efforts259

Damage Assessment259

Recovery260

Backup Media263

Automated Response264

Disaster Recovery Planning265

The Disaster Recovery Plan265

Crisis Management266

Recovery Operations267

Developing Continuity Programs(BCPs)268

Continuity Strategies268

Business Continuity Planning268

Model for a Consolidated Contingency Plan271

The Planning Document271

Law Enforcement Involvement273

Local,State,or Federal Authorities273

Benefits and Drawbacks of Law Enforcement Involvement274

Chapter Summary275

Review Questions276

Exercises277

Case Exercises278

Chapter 8 Security Technology281

Introduction282

Physical Design of the SecSDLC283

Development of Firewalls284

Firewalls284

Firewall Architectures287

Configuring and Managing Firewalls291

Dial-up Protection293

RADIUS and TACACS294

Intrusion Detection Systems(IDS)295

Host-based IDS295

Network-based IDS296

Signature-based IDS297

Statistical Anomaly-based IDS298

Scanning and Analysis Tools299

Port Scanners300

Vulnerability Scanners301

Packet Sniffers302

Content Filters303

Trap and Trace304

Cryptography and Encryption-based Solutions304

Encryption Definitions305

Encryption Operations307

Vernam Cipher308

Book or Running Key Cipher308

Symmetric Encryption310

Asymmetric Encryption312

Digital Signatures313

RSA313

What are Digital Certificates and Certificate Authorities?314

PKI314

Hybrid Systems316

Securing E-mail317

Securing the Web317

Securing Authentication319

Sesame321

Access Control Devices321

Authentication321

Effectiveness of Biometrics324

Acceptability of Biometrics325

Chapter Summary325

Review Questions327

Case Exercises328

Exercises328

Chapter 9 Physical Security332

Introduction334

Access Controls335

Controls for Protecting the Secure Facility336

Fire Safety343

Fire Detection and Response343

Failure of Supporting Utilities and Structural Collapse350

Heating,Ventilation,and Air Conditioning350

Power Management and Conditioning351

Testing Facility Systems356

Interception of Data356

Mobile and Portable Systems357

Remote Computing Security359

Special Considerations for Physical Security Threats361

Inventory Management362

Chapter Summary362

Review Questions363

Exercises365

Case Exercises366

Chapter 10 Implementing Security369

Introduction371

Project Management in the Implementation Phase372

Developing the Project Plan373

Project Planning Considerations378

Executing the Plan382

The Need for Project Management382

Supervising Implementation382

Wrap-up383

Technical Topics of Implementation384

Conversion Strategies384

The Bull s-eye Model for Information Security Project Planning385

To Outsource or Not386

Technology Governance and Change Control387

Nontechnical Aspects of Implementation387

The Culture of Change Management387

Considerations for Organizational Change389

Chapter Summary390

Review Questions392

Exercises393

Case Exercises394

Chapter 11 Security and Personnel397

Introduction399

The Security Function Within an Organization s Structure399

Staffing the Security Function400

Qualifications and Requirements401

Entry into the Security Profession402

Information Security Positions403

Credentials of Information Security Professionals407

Certified Information Systems Security Professional(CISSP)and Systems Security Certified408

Practitioner(SSCP)408

Security Certified Professional410

TruSecure ICSA Certified Security Associate(T.I.C.S.A.)and TruSecure ICSA Certified Security411

Expert(T.I.C.S.E.)411

Security+412

Certified Information Systems Auditor(CISA)413

Certified Information Systems Forensics Investigator413

Related Certifications414

Cost of Being Certified414

Advice for Information Security Professionals415

Employment Policies and Practices416

Hiring and Termination Issues417

Performance Evaluation420

Termination420

Security Considerations for Nonemployees421

Contract Employees422

Temporary Employees422

Consultants423

Business Partners423

Separation of Duties and Collusion424

Privacy and the Security of Personnel Data425

Chapter Summary426

Review Questions427

Exercises429

Case Exercises429

Chapter 12 Information Security Maintenance433

Introduction434

Security Management Models436

Managing for Change436

The ISO Network Management Model437

The Maintenance Model446

Monitoring the External Environment447

Monitoring the Internal Environment452

Planning and Risk Assessment455

Vulnerability Assessment and Remediation462

Readiness and Review470

Chapter Summary473

Review Questions474

Exercises475

Case Exercises475

Introduction478

Appendix A Cryptography478

Definitions481

Types of Ciphers483

Polyalphabetic Substitution Ciphers484

Transposition Ciphers485

Cryptographic Algorithms486

Asymmetric Cryptography or Public Key Cryptography489

Hybrid Cryptosystems489

Popular Cryptographic Algoritms490

Data Encryption Standard(DES)490

Data Encryption Core Process493

Public Key Infrastructure(PKI)499

Digital Certificates500

Digital Signatures500

Pretty Good Privacy(PGP)502

PGP Suite of Security Solutions502

Protocols for Secure Communications503

S-HTTP and SSL503

Secure/Multipurpose Internet Mail Extension(S/MIME)504

Internet Protocol Security(IPSec)505

Attacks on Cryptosystems507

Man-in-the-Middle Attack507

Correlation Attacks507

Dictionary Attacks508

Timing Attacks508

Glossary510