|
Second Edition Dedications |
6 |
|
|
Quotations |
7 |
|
|
Foreword |
8 |
|
|
Second Edition Preface |
10 |
|
|
Acknowledgements |
14 |
|
|
Contents |
15 |
|
|
Section 1 An Introduction to Information Assurance |
16 |
|
|
1 What is Information Assurance? |
17 |
|
|
1.1 Information Assurance and Its Subset: Information Security |
17 |
|
|
1.1.1 Interruption, Interception, Modification and Fabrication |
18 |
|
|
1.1.2 Information Assurance in Context |
19 |
|
|
1.2 Information Warfare |
21 |
|
|
1.2.1 Perspectives on Information Warfare |
23 |
|
|
1.2.2 Nature of the Threat |
24 |
|
|
1.3 Information Operations |
25 |
|
|
1.3.1 The Physical Level |
26 |
|
|
1.3.2 The Information Structure Level |
27 |
|
|
1.3.3 Perceptual Level |
27 |
|
|
1.4 Summary |
29 |
|
|
2 The World of Information |
30 |
|
|
2.1 What is Information? |
30 |
|
|
2.2 Properties of Information |
30 |
|
|
2.3 Information and Competitive Advantage |
31 |
|
|
2.3.1 Proprietary Advantage |
32 |
|
|
2.3.2 One-Step Ahead |
32 |
|
|
2.3.3 Discontinuity |
32 |
|
|
2.3.4 Implementation |
33 |
|
|
2.4 Birth of the Internet and Cyber-Crime |
33 |
|
|
2.5 Power of Information |
35 |
|
|
2.6 Consumer-Provider Model of Information Usage |
37 |
|
|
2.6.1 Generation, Validation and Propagation |
38 |
|
|
2.6.2 Acquisition, Integration and Selection |
38 |
|
|
2.7 Intelligence Model of Information Usage |
39 |
|
|
2.8 Summary |
41 |
|
|
3 The Theory of Risks |
42 |
|
|
3.1 Threats, Vulnerabilities and Risks |
42 |
|
|
3.2 Threats and Threat Agents |
42 |
|
|
3.2.1 The Natural Threat Agents |
45 |
|
|
3.2.2 The Unintentional Threat Agents |
45 |
|
|
3.2.3 The Intentional Threat Agents |
46 |
|
|
3.3 Threat Components Applying to Malicious Threats |
48 |
|
|
3.3.1 Threat Agent |
48 |
|
|
3.3.2 Capability |
49 |
|
|
3.3.3 Threat Inhibitors |
49 |
|
|
3.3.4 Threat Amplifiers |
50 |
|
|
3.3.5 Threat Catalysts |
51 |
|
|
3.3.6 Threat Agent Motivators |
51 |
|
|
3.4 Vulnerabilities |
52 |
|
|
3.5 Risk and Risk Management |
57 |
|
|
3.5.1 Threat Matrix |
60 |
|
|
3.5.2 Risk Management |
61 |
|
|
3.5.3 Five Principles of Risk Management |
61 |
|
|
3.5.4 Sixteen Successful Practices |
61 |
|
|
3.6 Summary |
64 |
|
|
4 The Information World of Crime |
65 |
|
|
4.1 Introduction |
65 |
|
|
4.2 Information Systems and Crime |
66 |
|
|
4.3 Modus Operandi |
67 |
|
|
4.4 Information Systems Crime Adversarial Matrix |
68 |
|
|
4.4.1 Organisational Characteristics |
69 |
|
|
4.4.2 Operational Characteristics |
69 |
|
|
4.4.3 Behavioural Characteristics |
70 |
|
|
4.4.4 Resource Characteristics |
70 |
|
|
4.5 Motives of the Cyber Criminal |
71 |
|
|
4.5.1 Power Assurance (aka Compensatory) |
71 |
|
|
4.5.2 Power Assertive (aka Entitlement) |
73 |
|
|
4.5.3 Anger Retaliatory |
74 |
|
|
4.5.4 Sadistic |
75 |
|
|
4.5.5 Profit Oriented |
75 |
|
|
4.6 A Model of Information SystemsÌ Intrusions |
76 |
|
|
4.6.1 Target Identification |
77 |
|
|
4.6.2 Motivational Factors |
78 |
|
|
4.6.3 Choice Criteria |
79 |
|
|
4.6.4 Target Selection and Intelligence |
79 |
|
|
4.6.5 Open Source Intelligence |
80 |
|
|
4.6.6 Topology |
81 |
|
|
4.6.7 The Deployment Decision |
81 |
|
|
4.6.8 Vulnerability Management |
81 |
|
|
4.7 Summary |
82 |
|
|
5 IA Trust and Supply Chains |
83 |
|
|
5.1 Introduction |
83 |
|
|
5.2 Developing a Conceptual Model of Trust |
84 |
|
|
5.2.1 NICE Model of Trust |
85 |
|
|
5.2.2 Trust Footprint |
87 |
|
|
5.3 Supply Chains |
88 |
|
|
5.4 Analysis of Supply Chains |
92 |
|
|
5.4.1 Primary Activities |
93 |
|
|
5.4.2 Support Activities |
94 |
|
|
5.4.3 Industry Value Chain Showing Strategic Alliances Between Organisations |
94 |
|
|
5.5 Summary |
96 |
|
|
6 Basic IA Concepts and Models |
97 |
|
|
6.1 Introduction |
97 |
|
|
6.2 IA Goals and Objectives |
98 |
|
|
6.3 Three Basic Concepts |
98 |
|
|
6.3.1 Access Controls |
98 |
|
|
6.3.2 Individual Accountability |
99 |
|
|
6.3.3 Audit Trails |
100 |
|
|
6.4 The Information Value Model |
101 |
|
|
6.4.1 Valuing Information |
101 |
|
|
6.4.2 How to Determine the Value of Corporate Information |
101 |
|
|
6.4.3 The Value of Information |
102 |
|
|
6.5 Three Basic Categories of Information |
103 |
|
|
6.5.1 Personal, Private Information |
103 |
|
|
6.5.2 Business Information |
104 |
|
|
6.6 Determining Information Value Considerations |
105 |
|
|
6.6.1 Questions to Ask When Considering Information Value |
106 |
|
|
6.7 Another View of Information Valuation |
107 |
|
|
6.7.1 The Information Environment |
107 |
|
|
6.7.2 Value of Information |
108 |
|
|
6.8 The Need-To-Know Model |
108 |
|
|
6.9 The Confidentiality-Integrity-Availability Model |
110 |
|
|
6.9.1 Confidentiality |
110 |
|
|
6.9.2 Integrity |
110 |
|
|
6.9.3 Availability |
110 |
|
|
6.10 The Protect-Detect-React-Deter Model |
111 |
|
|
6.10.1 Protect |
111 |
|
|
6.10.2 Detect |
111 |
|
|
6.10.3 Case Example Ò Do not Rush to Judgement |
113 |
|
|
6.10.4 React |
114 |
|
|
6.10.5 Deter |
115 |
|
|
6.10.6 Questions and Some Answers to Think About |
115 |
|
|
6.11 IA Success Considerations |
116 |
|
|
6.12 Summary |
116 |
|
|
7 The Role of Policy in Information Assurance |
117 |
|
|
7.1 Introduction |
117 |
|
|
7.2 A Model of Policy Development |
117 |
|
|
7.3 Types of IA Policies |
118 |
|
|
7.4 Acceptable Usage Policy |
120 |
|
|
7.5 Summary |
121 |
|
|
Section 2 IA in the World of Corporations |
122 |
|
|
8 The Corporate Security Officer |
123 |
|
|
8.1 A Short History of the World of Corporate Security |
123 |
|
|
8.2 The Corporate Security Officer |
126 |
|
|
8.3 Corporate Security Duties and Responsibilities |
127 |
|
|
8.4 Corporate Security Support Tools and Processes |
128 |
|
|
8.5 The More Things Change the More They Don´t |
129 |
|
|
8.6 Information Assurance: Whose Responsibility Is It? |
130 |
|
|
8.7 Is IA a Corporate Security Responsibility? |
131 |
|
|
8.8 Summary |
133 |
|
|
9 Corporate Security Functions |
134 |
|
|
9.1 Introduction |
134 |
|
|
9.2 Corporate Security IA-Related Functions |
135 |
|
|
9.2.1 Evaluate Current Security Requirements |
135 |
|
|
9.2.2 Corporate Security Plan |
136 |
|
|
9.2.3 Management Direction for Security Activities |
136 |
|
|
9.2.4 Interface with Other Directors |
137 |
|
|
9.2.5 Comply with Contractual, Customer and Regulatory Requirements |
137 |
|
|
9.2.6 Corporate-Wide InfoSec Program |
138 |
|
|
9.2.7 Corporate-Wide Crisis Management Program |
138 |
|
|
9.2.8 Establish Common Security Processes |
139 |
|
|
9.2.9 Provide Productive and Safe Working Environment |
139 |
|
|
9.2.10 Corporate Security Measurement System |
139 |
|
|
9.2.11 Common Managerial Accountabilities |
140 |
|
|
9.2.12 Physically Secure Environment |
140 |
|
|
9.2.13 Government Compliance Requirements |
142 |
|
|
9.2.14 Corporate Management Guidance |
142 |
|
|
9.2.15 Security Liaison Activities |
143 |
|
|
9.2.16 Co-ordinate Corporate Security Policies and Procedures |
143 |
|
|
9.2.17 Corporate-Wide Contingency Plan |
144 |
|
|
9.2.18 Corporate Crisis Management Room |
145 |
|
|
9.2.19 Corporate-Wide Security Measurement System |
145 |
|
|
9.2.20 Law Enforcement Liaison |
145 |
|
|
9.2.21 Chair Corporate Security Council |
145 |
|
|
9.2.22 Corporate Security Policy and Procedures |
146 |
|
|
9.2.23 CSO as IA Leader |
147 |
|
|
9.3 Summary |
147 |
|
|
10 IA in the Interest of National Security |
148 |
|
|
10.1 Introduction |
148 |
|
|
10.1.1 IA: A Definition |
149 |
|
|
10.1.2 Levels of Protection |
150 |
|
|
10.1.3 System Assurance |
150 |
|
|
10.2 National Security Classified Information |
150 |
|
|
10.2.1 An Example of National Security Information Impact |
153 |
|
|
10.3 IA Requirements in the National Security Arena |
153 |
|
|
10.3.1 IA Objective in the National Security Environment |
155 |
|
|
10.3.2 Responsibilities |
155 |
|
|
10.3.3 Collective IA Controls |
156 |
|
|
10.3.4 Government Customer Approval Process |
156 |
|
|
10.3.5 AIS Modes of Operation |
157 |
|
|
10.3.6 The Appointment of the Defence Industry-Related CorporationÌs Focal Point for IA |
158 |
|
|
10.3.7 Documenting and Gaining Government Customer Approval for Processing, Storing and Transmitting National Security Information |
158 |
|
|
10.4 Summary |
160 |
|
|
A Case Study |
161 |
|
|
11 The Corporate IA Officer |
165 |
|
|
11.1 The Corporate Information Assurance Officer1 |
165 |
|
|
11.1.1 CIAO Position |
166 |
|
|
11.1.2 CIAO Duties and Responsibilities |
166 |
|
|
11.1.3 Goals and Objectives |
168 |
|
|
11.1.4 Leadership Position |
169 |
|
|
11.1.5 Vision, Mission and Quality Statements |
171 |
|
|
11.2 Summary |
173 |
|
|
12 IA Organisational Functions |
174 |
|
|
12.1 Determining Major IA Functions |
174 |
|
|
12.2 IA Functions and Process Development |
177 |
|
|
12.2.1 IA Requirements Function |
177 |
|
|
12.2.2 IA Policy Function |
178 |
|
|
12.2.3 IA Procedures Function |
179 |
|
|
12.2.4 Systems IA Architecture Function |
180 |
|
|
12.2.5 IA Awareness and Training Function |
180 |
|
|
12.2.6 Access Control and Audit Records Analyses Functions |
182 |
|
|
12.2.7 Evaluation of all Hardware, Firmware and Software Functions |
184 |
|
|
12.2.8 Applying Risk Management Principles and Establishing a Risk Management Function |
186 |
|
|
12.2.9 IA Tests and Evaluations Function |
187 |
|
|
12.2.10 IA Non-Compliance Inquiries Process |
188 |
|
|
12.2.11 IA Contingency Planning and Disaster Recovery Function |
189 |
|
|
12.3 Summary |
192 |
|
|
13 Incident Management and Response |
194 |
|
|
13.1 Incident Triage |
196 |
|
|
13.2 Incident Coordination |
196 |
|
|
13.3 Incident Resolution |
197 |
|
|
13.4 Proactive Activities |
197 |
|
|
13.4.1 Information Provision and Sharing |
197 |
|
|
13.4.2 Security Tools |
198 |
|
|
13.4.3 Education and Training |
198 |
|
|
13.4.4 Product and Services Evaluation |
199 |
|
|
13.4.5 Site Security Auditing |
199 |
|
|
Section 3 Technical Aspects of IA |
200 |
|
|
14 IA and Software |
201 |
|
|
14.1 Operating Systems and Trusted Systems |
201 |
|
|
14.1.1 Security Policies |
201 |
|
|
14.1.2 Models of Security |
202 |
|
|
14.1.3 Security Methods of Operating Systems |
204 |
|
|
14.1.4 Typical Operating System Flaws |
205 |
|
|
14.2 Databases and Database Security |
205 |
|
|
14.2.1 Physical Database Integrity |
206 |
|
|
14.2.2 Logical Database Integrity |
207 |
|
|
14.2.3 Element Integrity |
208 |
|
|
14.2.4 Access Control |
209 |
|
|
14.2.5 Auditability |
210 |
|
|
14.2.6 User Authentication |
210 |
|
|
14.2.7 Availability |
211 |
|
|
14.2.8 Database Case Study |
211 |
|
|
14.3 Application Software |
212 |
|
|
14.3.1 Malicious Code |
212 |
|
|
14.3.2 Viruses |
217 |
|
|
14.3.3 Bots and Bot-Nets |
218 |
|
|
14.4 Digital Tradecraft |
219 |
|
|
14.4.1 Digital Tradecraft Defined |
219 |
|
|
14.4.2 Digital Dead Drop |
220 |
|
|
14.5 Steganography |
221 |
|
|
14.6 Summary |
222 |
|
|
15 Applying Cryptography to IA |
223 |
|
|
15.1 Principles of Encryption |
223 |
|
|
15.2 Symmetric Ciphers |
225 |
|
|
15.3 Asymmetric Ciphers |
225 |
|
|
15.4 Digital Signatures and Certificates |
226 |
|
|
15.5 Key Management and Key Distribution |
229 |
|
|
15.6 Summary |
231 |
|
|
16 IA Technology Security |
232 |
|
|
16.1 Biometrics |
232 |
|
|
16.1.1 The Role and Function of Biometrics |
232 |
|
|
16.1.2 Analysis of Basic Biometric Models |
233 |
|
|
16.1.3 Fingerprint Verification |
234 |
|
|
16.1.4 Iris Analysis |
235 |
|
|
16.1.5 Facial Analysis |
236 |
|
|
16.1.6 Hand Geometry |
236 |
|
|
16.1.7 Speech Analysis |
237 |
|
|
16.1.8 Hand-Written Signature Verification |
237 |
|
|
16.1.9 Threats and Risks to Biometrics |
238 |
|
|
16.2 EMP Weapons and HERF Guns |
239 |
|
|
16.3 TEMPEST |
239 |
|
|
16.4 Closed Circuit Television |
241 |
|
|
16.5 Microsoft and Network Security |
243 |
|
|
16.6 Summary |
244 |
|
|
17 Security Standards |
245 |
|
|
17.1 BS7799 and ISO17799 |
245 |
|
|
17.2 ISO13335 |
247 |
|
|
17.3 Common Criteria |
248 |
|
|
17.4 Summary |
250 |
|
|
Section 4 The Future and Final Comments |
251 |
|
|
18 The Future, Conclusions and Comments |
252 |
|
|
18.1 Information Assurance: Getting There |
252 |
|
|
18.1.1 The New Threat of Terrorism |
253 |
|
|
18.2 Welcome to the World of Constant Change |
254 |
|
|
18.2.1 Changes in Societies |
254 |
|
|
18.2.2 Economic, Global Competition |
256 |
|
|
18.2.3 Technology |
257 |
|
|
18.2.4 The IA Professional |
260 |
|
|
18.3 Summary |
261 |
|
|
Biography |
262 |
|
|
Index |
264 |
|