HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
• Understand the cybersecurity discipline and the role of standards and best practices
• Define security governance, assess risks, and manage strategy and tactics
• Safeguard information and privacy, and ensure GDPR compliance
• Harden systems across the system development life cycle (SDLC)
• Protect servers, virtualized systems, and storage
• Secure networks and electronic communications, from email to VoIP
• Apply the most appropriate methods for user authentication
• Mitigate security risks in supply chains and cloud environments
William Stallings’ Effective Cybersecurity offers a comprehensive and unified explanation of the best practices and standards that represent proven, consensus techniques for implementing cybersecurity. Stallings draws on the immense work that has been collected in multiple key security documents, making this knowledge far more accessible than it has ever been before. Effective Cybersecurity is organized to align with the comprehensive Information Security Forum document The Standard of Good Practice for Information Security, but deepens, extends, and complements ISF’s work with extensive insights from the ISO 27002 Code of Practice for Information Security Controls, the NIST Framework for Improving Critical Infrastructure Cybersecurity, COBIT 5 for Information Security, and a wide spectrum of standards and guidelines documents from ISO, ITU-T, NIST, Internet RFCs, other official sources, and the professional, academic, and industry literature.
In a single expert source, current and aspiring cybersecurity practitioners will find comprehensive and usable practices for successfully implementing cybersecurity within any organization. Stallings covers:
Beyond requiring a basic understanding of cryptographic terminology and applications, this book is self-contained: all technology areas are explained without requiring other reference material. Each chapter contains a clear technical overview, as well as a detailed discussion of action items and appropriate policies. Stallings, author of 13 TAA Computer Science Textbooks of the Year, offers many pedagogical features designed to help readers master the material. These include: clear learning objectives, keyword lists, and glossaries to QR codes linking to relevant standards documents and web resources.
Understanding Information Security Governance
Download the sample pages (includes Chapter 2)
Preface xxvii
Chapter 1: Best Practices, Standards, and a Plan of Action 2
1.1 Defining Cyberspace and Cybersecurity 3
1.2 The Value of Standards and Best Practices Documents 6
1.3 The Standard of Good Practice for Information Security 7
1.4 The ISO/IEC 27000 Suite of Information Security Standards 12
ISO 27001 15
ISO 27002 17
1.5 Mapping the ISO 27000 Series to the ISF SGP 18
1.6 NIST Cybersecurity Framework and Security Documents 21
NIST Cybersecurity Framework 22
NIST Security Documents 25
1.7 The CIS Critical Security Controls for Effective Cyber Defense 27
1.8 COBIT 5 for Information Security 29
1.9 Payment Card Industry Data Security Standard (PCI DSS) 30
1.10 ITU-T Security Documents 32
1.11 Effective Cybersecurity 34
The Cybersecurity Management Process 34
Using Best Practices and Standards Documents 36
1.12 Key Terms and Review Questions 38
Key Terms 38
Review Questions 38
1.13 References 39
PART I: PLANNING FOR CYBERSECURITY 41
Chapter 2: Security Governance 42
2.1 Security Governance and Security Management 43
2.2 Security Governance Principles and Desired Outcomes 45
Principles 45
Desired Outcomes 46
2.3 Security Governance Components 47
Strategic Planning 47
Organizational Structure 51
Roles and Responsibilities 55
Integration with Enterprise Architecture 58
Policies and Guidance 63
2.4 Security Governance Approach 63
Security Governance Framework 63
Security Direction 64
Responsible, Accountable, Consulted, and Informed (RACI) Charts 66
2.5 Security Governance Evaluation 68
2.6 Security Governance Best Practices 69
2.7 Key Terms and Review Questions 70
Key Terms 70
Review Questions 71
2.8 References 71
Chapter 3: Information Risk Assessment 74
3.1 Risk Assessment Concepts 75
Risk Assessment Challenges 78
Risk Management 80
Structure of This 84
3.2 Asset Identification 85
Hardware Assets 85
Software Assets 85
Information Assets 86
Business Assets 87
Asset Register 87
3.3 Threat Identification 89
The STRIDE Threat Model 89
Threat Types 90
Sources of Information 92
3.4 Control Identification 98
3.5 Vulnerability Identification 102
Vulnerability Categories 103
National Vulnerability Database and Common Vulnerability Scoring System 103
3.6 Risk Assessment Approaches 107
Quantitative Versus Qualitative Risk Assessment 107
Simple Risk Analysis Worksheet 113
Factor Analysis of Information Risk 114
3.7 Likelihood Assessment 116
Estimating Threat Event Frequency 118
Estimating Vulnerability 119
Loss Event Frequency 121
3.8 Impact Assessment 122
Estimating the Primary Loss 124
Estimating the Secondary Loss 125
Business Impact Reference Table 126
3.9 Risk Determination 128
3.10 Risk Evaluation 128
3.11 Risk Treatment 129
Risk Reduction 130
Risk Retention 130
Risk Avoidance 130
Risk Transfer 131
3.12 Risk Assessment Best Practices 131
3.13 Key Terms and Review Questions 132
Key Terms 132
Review Questions 133
3.14 References 134
Chapter 4: Security Management 136
4.1 The Security Management Function 137
Security Planning 140
Capital Planning 142
4.2 Security Policy 145
Security Policy Categories 146
Security Policy Document Content 147
Management Guidelines for Security Policies 151
Monitoring the Policy 151
4.3 Acceptable Use Policy 152
4.4 Security Management Best Practices 154
4.5 Key Terms and Review Questions 154
Key Terms 154
Review Questions 155
4.6 References 155
PART II: MANAGING THE CYBERSECURITY FUNCTION 157
Chapter 5: People Management 160
5.1 Human Resource Security 161
Security in the Hiring Process 162
During Employment 164
Termination of Employment 165
5.2 Security Awareness and Education 166
Security Awareness 168
Cybersecurity Essentials Program 173
Role-Based Training 173
Education and Certification 174
5.3 People Management Best Practices 175
5.4 Key Terms and Review Questions 176
Key Terms 176
Review Questions 176
5.5 References 177
Chapter 6: Information Management 178
6.1 Information Classification and Handling 179
Information Classification 179
Information Labeling 185
Information Handling 186
6.2 Privacy 186
Privacy Threats 189
Privacy Principles and Policies 191
Privacy Controls 196
6.3 Document and Records Management 198
Document Management 200
Records Management 202
6.4 Sensitive Physical Information 204
6.5 Information Management Best Practices 205
6.6 Key Terms and Review Questions 206
Key Terms 206
Review Questions 207
6.7 References 208
Chapter 7: Physical Asset Management 210
7.1 Hardware Life Cycle Management 211
Planning 213
Acquisition 214
Deployment 214
Management 215
Disposition 216
7.2 Office Equipment 217
Threats and Vulnerabilities 217
Security Controls 219
Equipment Disposal 222
7.3 Industrial Control Systems 223
Differences Between IT Systems and Industrial Control Systems 225
ICS Security 227
7.4 Mobile Device Security 231
Mobile Device Technology 233
Mobile Ecosystem 234
Vulnerabilities 236
Mobile Device Security Strategy 238
Resources for Mobile Device Security 243
7.5 Physical Asset Management Best Practices 244
7.6 Key Terms and Review Questions 245
Key Terms 245
Review Questions 245
7.7 References 246
Chapter 8: System Development 248
8.1 System Development Life Cycle 248
NIST SDLC Model 249
The SGP’s SDLC Model 252
DevOps 254
8.2 Incorporating Security into the SDLC 259
Initiation Phase 260
Development/Acquisition Phase 264
Implementation/Assessment Phase 266
Operations and Maintenance Phase 270
Disposal Phase 272
8.3 System Development Management 273
System Development Methodology 274
System Development Environments 275
Quality Assurance 277
8.4 System Development Best Practices 278
8.5 Key Terms and Review Questions 278
Key Terms 278
Review Questions 279
8.6 References 279
Chapter 9: Business Application Management 280
9.1 Application Management Concepts 281
Application Life Cycle Management 281
Application Portfolio Management 283
Application Performance Management 285
9.2 Corporate Business Application Security 287
Business Application Register 287
Business Application Protection 288
Browser-Based Application Protection 289
9.3 End User-Developed Applications (EUDAs) 295
Benefits of EUDAs 296
Risks of EUDAs 296
EUDA Security Framework 297
9.4 Business Application Management Best Practices 300
9.5 Key Terms and Review Questions 301
Key Terms 301
Review Questions 302
9.6 References 302
Chapter 10: System Access 304
10.1 System Access Concepts 304
Authorization 306
10.2 User Authentication 307
A Model for Electronic User Authentication 307
Means of Authentication 310
Multifactor Authentication 311
10.3 Password-Based Authentication 312
The Vulnerability of Passwords 313
The Use of Hashed Passwords 315
Password Cracking of User-Chosen Passwords 317
Password File Access Control 319
Password Selection 320
10.4 Possession-Based Authentication 322
Memory Cards 322
Smart Cards 323
Electronic Identity Cards 325
One-Time Password Device 328
Threats to Possession-Based Authentication 329
Security Controls for Possession-Based Authentication 330
10.5 Biometric Authentication 330
Criteria for Biometric Characteristics 331
Physical Characteristics Used in Biometric Applications 332
Operation of a Biometric Authentication System 333
Biometric Accuracy 335
Threats to Biometric Authentication 337
Security Controls for Biometric Authentication 339
10.6 Risk Assessment for User Authentication 341
Authenticator Assurance Levels 341
Selecting an AAL 342
Choosing an Authentication Method 345
10.7 Access Control 347
Subjects, Objects, and Access Rights 348
Access Control Policies 349
Discretionary Access Control 350
Role-Based Access Control 351
Attribute-Based Access Control 353
Access Control Metrics 358
10.8 Customer Access 360
Customer Access Arrangements 360
Customer Contracts 361
Customer Connections 361
Protecting Customer Data 361
10.9 System Access Best Practices 362
10.10 Key Terms and Review Questions 363
Key Terms 363
Review Questions 363
10.11 References 364
Chapter 11: System Management 366
11.1 Server Configuration 368
Threats to Servers 368
Requirements for Server Security 368
11.2 Virtual Servers 370
Virtualization Alternatives 371
Virtualization Security Issues 374
Securing Virtualization Systems 376
11.3 Network Storage Systems 377
11.4 Service Level Agreements 379
Network Providers 379
Computer Security Incident Response Team 381
Cloud Service Providers 382
11.5 Performance and Capacity Management 383
11.6 Backup 384
11.7 Change Management 386
11.8 System Management Best Practices 389
11.9 Key Terms and Review Questions 390
Key Terms 390
Review Questions 390
11.10 References 391
Chapter 12: Networks and Communications 392
12.1 Network Management Concepts 393
Network Management Functions 393
Network Management Systems 399
Network Management Architecture 402
12.2 Firewalls 404
Firewall Characteristics 404
Types of Firewalls 406
Next-Generation Firewalls 414
DMZ Networks 414
The Modern IT Perimeter 416
12.3 Virtual Private Networks and IP Security 417
Virtual Private Networks 417
IPsec 418
Firewall-Based VPNs 420
12.4 Security Considerations for Network Management 421
Network Device Configuration 421
Physical Network Management 423
Wireless Access 426
External Network Connections 427
Firewalls 428
Remote Maintenance 429
12.5 Electronic Communications 430
Email 430
Instant Messaging 436
Voice over IP (VoIP) Networks 438
Telephony and Conferencing 444
12.6 Networks and Communications Best Practices 444
12.7 Key Terms and Review Questions 445
Key Terms 445
Review Questions 445
12.8 References 446
Chapter 13: Supply Chain Management and Cloud Security 448
13.1 Supply Chain Management Concepts 449
The Supply Chain 449
Supply Chain Management 451
13.2 Supply Chain Risk Management 453
Supply Chain Threats 456
Supply Chain Vulnerabilities 459
Supply Chain Security Controls 460
SCRM Best Practices 463
13.3 Cloud Computing 466
Cloud Computing Elements 466
Cloud Computing Reference Architecture 470
13.4 Cloud Security 473
Security Considerations for Cloud Computing 473
Threats for Cloud Service Users 474
Risk Evaluation 475
Best Practices 476
Cloud Service Agreement 477
13.5 Supply Chain Best Practices 478
13.6 Key Terms and Review Questions 479
Key Terms 479
Review Questions 479
13.7 References 480
Chapter 14: Technical Security Management 482
14.1 Security Architecture 483
14.2 Malware Protection Activities 487
Types of Malware 487
The Nature of the Malware Threat 490
Practical Malware Protection 490
14.3 Malware Protection Software 494
Capabilities of Malware Protection Software 494
Managing Malware Protection Software 495
14.4 Identity and Access Management 496
IAM Architecture 497
Federated Identity Management 498
IAM Planning 500
IAM Best Practices 501
14.5 Intrusion Detection 502
Basic Principles 503
Approaches to Intrusion Detection 504
Host-Based Intrusion Detection Techniques 505
Network-Based Intrusion Detection Systems 506
IDS Best Practices 508
14.6 Data Loss Prevention 509
Data Classification and Identification 509
Data States 510
14.7 Digital Rights Management 512
DRM Structure and Components 513
DRM Best Practices 515
14.8 Cryptographic Solutions 517
Uses of Cryptography 517
Cryptographic Algorithms 518
Selection of Cryptographic Algorithms and Lengths 525
Cryptography Implementation Considerations 526
14.9 Cryptographic Key Management 528
Key Types 530
Cryptoperiod 532
Key Life Cycle 534
14.10 Public Key Infrastructure 536
Public Key Certificates 536
PKI Architecture 538
Management Issues 540
14.11 Technical Security Management Best Practices 541
14.12 Key Terms and Review Questions 543
Key Terms 543
Review Questions 543
14.13 References 544
Chapter 15: Threat and Incident Management 546
15.1 Technical Vulnerability Management 547
Plan Vulnerability Management 547
Discover Known Vulnerabilities 548
Scan for Vulnerabilities 549
Log and Report 551
Remediate Vulnerabilities 551
15.2 Security Event Logging 554
Security Event Logging Objective 556
Potential Security Log Sources 556
What to Log 557
Protection of Log Data 557
Log Management Policy 558
15.3 Security Event Management 559
SEM Functions 560
SEM Best Practices 561
15.4 Threat Intelligence 563
Threat Taxonomy 564
The Importance of Threat Intelligence 566
Gathering Threat Intelligence 568
Threat Analysis 569
15.5 Cyber Attack Protection 570
Cyber Attack Kill Chain 570
Protection and Response Measures 573
Non-Malware Attacks 576
15.6 Security Incident Management Framework 577
Objectives of Incident Management 579
Relationship to Information Security Management System 579
Incident Management Policy 580
Roles and Responsibilities 581
Incident Management Information 583
Incident Management Tools 583
15.7 Security Incident Management Process 584
Preparing for Incident Response 585
Detection and Analysis 586
Containment, Eradication, and Recovery 587
Post-Incident Activity 588
15.8 Emergency Fixes 590
15.9 Forensic Investigations 592
Prepare 593
Identify 594
Collect 594
Preserve 595
Analyze 595
Report 596
15.10 Threat and Incident Management Best Practices 597
15.11 Key Terms and Review Questions 598
Key Terms 598
Review Questions 599
15.12 References 599
Chapter 16: Local Environment Management 602
16.1 Local Environment Security 602
Local Environment Profile 603
Local Security Coordination 604
16.2 Physical Security 606
Physical Security Threats 606
Physical Security Officer 609
Defense in Depth 610
Physical Security: Prevention and Mitigation Measures 612
Physical Security Controls 615
16.3 Local Environment Management Best Practices 619
16.4 Key Terms and Review Questions 620
Key Terms 620
Review Questions 620
16.5 References 621
Chapter 17: Business Continuity 622
17.1 Business Continuity Concepts 625
Threats 626
Business Continuity in Operation 628
Business Continuity Objectives 629
Essential Components for Maintaining Business Continuity 630
17.2 Business Continuity Program 630
Governance 631
Business Impact Analysis 631
Risk Assessment 632
Business Continuity Strategy 634
17.3 Business Continuity Readiness 637
Awareness 637
Training 638
Resilience 639
Control Selection 640
Business Continuity Plan 642
Exercising and Testing 647
Performance Evaluation 650
17.4 Business Continuity Operations 655
Emergency Response 655
Crisis Management 656
Business Recovery/Restoration 657
17.5 Business Continuity Best Practices 660
17.6 Key Terms and Review Questions 661
Key Terms 661
Review Questions 661
17.7 References 662
PART III: SECURITY ASSESSMENT 665
Chapter 18: Security Monitoring and Improvement 666
18.1 Security Audit 666
Security Audit and Alarms Model 667
Data to Collect for Auditing 668
Internal and External Audit 672
Security Audit Controls 673
18.2 Security Performance 678
Security Performance Measurement 678
Security Monitoring and Reporting 686
Information Risk Reporting 688
Information Security Compliance Monitoring 690
18.3 Security Monitoring and Improvement Best Practices 691
18.4 Key Terms and Review Questions 692
Key Terms 692
Review Questions 692
18.5 References 693
Appendix A: References and Standards 694
Appendix B: Glossary 708
Index 726
Appendix C: Answers to Review Questions (Online Only)