Transcription

Information Security:Principles andPracticesSecond EditionMark S. MerkowJim Breithaupt800 East 96th Street, Indianapolis, Indiana 46240 USA

Information Security: Principles and Practices, SecondEditionAssociate PublisherDave DusthimerCopyright 2014 by Pearson Education, Inc.Acquisitions EditorBetsy BrownAll rights reserved. No part of this book shall be reproduced, stored in a retrieval system, ortransmitted by any means, electronic, mechanical, photocopying, recording, or otherwise,without written permission from the publisher. No patent liability is assumed with respectto the use of the information contained herein. Although every precaution has been taken inthe preparation of this book, the publisher and author assume no responsibility for errors oromissions. Nor is any liability assumed for damages resulting from the use of the informationcontained herein.ISBN-13: 978-0-7897-5325-0ISBN-10: 0-7897-5325-1Library of Congress Control Number: 2014937271Printed in the United States of AmericaFirst Printing: June 2014Development EditorJeff RileyManaging EditorSandra SchroederSenior Project EditorTonya SimpsonCopy EditorKrista Hansing EditorialServices, Inc.IndexerPublishing WorksTrademarksAll terms mentioned in this book that are known to be trademarks or service marks havebeen appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of thisinformation. Use of a term in this book should not be regarded as affecting the validity of anytrademark or service mark.Warning and DisclaimerProofreaderPaula LowellTechnical EditorsTatyana ZidarovChris CraytonEvery effort has been made to make this book as complete and as accurate as possible, but nowarranty or fitness is implied. The information provided is on an “as is” basis. The authorsand the publisher shall have neither liability nor responsibility to any person or entity withrespect to any loss or damages arising from the information contained in this book.Publishing CoordinatorVanessa EvansSpecial SalesCompositorTrina WurstFor information about buying this title in bulk quantities, or for special sales opportunities(which may include electronic versions; custom cover designs; and content particular to yourbusiness, training goals, marketing focus, or branding interests), please contact our corporatesales department at [email protected] or (800) 382-3419.For government sales inquiries, please contact [email protected] questions about sales outside the U.S., please contact [email protected] DesignerAlan Clements

Contents at a GlancePreface . xiii1 Why Study Information Security?.22 Information Security Principles of Success.183 Certification Programs and the Common Body of Knowledge .364 Governance and Risk Management .545 Security Architecture and Design .806 Business Continuity Planning and Disaster Recovery Planning .1107 Law, Investigations, and Ethics .1268 Physical Security Control .1469 Operations Security .16610 Access Control Systems and Methodology .18211 Cryptography .20012 Telecommunications, Network, and Internet Security .22413 Software Development Security .26014 Securing the Future .280A Common Body of Knowledge .292B Security Policy and Standards Taxonomy .302C Sample Policies .306D HIPAA Security Rule Standards.320Index .324iii

Table of ContentsPrefacexiiiChapter 1: Why Study Information Security?2Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2The Growing Importance of IT Security and New Career Opportunities . . . . . . 3An Increase in Demand by Government and Private Industry. . . . . . . . . . 4Becoming an Information Security Specialist . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Schools Are Responding to Demands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6The Importance of a Multidisciplinary Approach . . . . . . . . . . . . . . . . . . . . 7Contextualizing Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Information Security Careers Meet the Needs of Business . . . . . . . . . . . . 8Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Test Your Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Chapter 2: Information Security Principles of Success18Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Principle 1: There Is No Such Thing As Absolute Security . . . . . . . . . . . . . . . . 19Principle 2: The Three Security Goals Are Confidentiality, Integrity,and Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Integrity Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Availability Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Principle 3: Defense in Depth as Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Principle 4: When Left on Their Own, People Tend to Make the WorstSecurity Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Principle 5: Computer Security Depends on Two Types of Requirements:Functional and Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Principle 6: Security Through Obscurity Is Not an Answer . . . . . . . . . . . . . . . . 25Principle 7: Security Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Principle 8: The Three Types of Security Controls Are Preventative,Detective, and Responsive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Principle 9: Complexity Is the Enemy of Security . . . . . . . . . . . . . . . . . . . . . . . 29Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security . 29Principle 11: People, Process, and Technology Are All Needed toAdequately Secure a System or Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29ivTable of Contents

Principle 12: Open Disclosure of Vulnerabilities Is Good for Security! . . . . . . 30Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Test Your Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Chapter 3: Certification Programs and the Common Body of Knowledge36Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Certification and Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37International Information Systems Security Certifications Consortium (ISC)2 . . 38The Information Security Common Body of Knowledge. . . . . . . . . . . . . . . . . . 39Information Security Governance and Risk Management . . . . . . . . . . . . 39Security Architecture and Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . . . 40Legal Regulations, Investigations, and Compliance. . . . . . . . . . . . . . . . . 41Physical (Environmental) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Operations Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Telecommunications and Network Security . . . . . . . . . . . . . . . . . . . . . . . 43Software Development Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Other Certificate Programs in the IT Security Industry . . . . . . . . . . . . . . . . . . . 44Certified Information Systems Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Certified Information Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . 44Certified in Risk and Information Systems Control . . . . . . . . . . . . . . . . . 44Global Information Assurance Certifications. . . . . . . . . . . . . . . . . . . . . . . 44(ISC)2 Specialization Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45CCFP: Certified Cyber Forensics Professional . . . . . . . . . . . . . . . . . . . . . 45HCISPP: HealthCare Information Security and Privacy Practitioner . . . . 45Vendor-Specific and Other Certification Programs . . . . . . . . . . . . . . . . . 46Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Test Your Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Chapter 4: Governance and Risk Management54Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Security Policies Set the Stage for Success . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Understanding the Four Types of Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Table of Contentsv

Programme-Level Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Programme-Framework Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Issue-Specific Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60System-Specific Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Developing and Managing Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Policy Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Providing Policy Support Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Standards and Baselines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Suggested Standards Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Asset and Data Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Separation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Employment Hiring Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Risk Analysis and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Education, Training, and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Who Is Responsible for Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Test Your Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Chapter 5: Security Architecture and Design80Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Defining the Trusted Computing Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Rings of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Protection Mechanisms in a TCB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84System Security Assurance Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Goals of Security Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Fo