Fundamentals of Information Systems Security 4th Edition by David Kim, ISBN-13: 978-1284220735
[PDF eBook eTextbook] – Available Instantly
- Publisher: Jones & Bartlett Learning; 4th edition (December 24, 2021)
- Language: English
- ISBN-10: 1284220737
- ISBN-13: 978-1284220735
Revised and updated with the latest trends and information in the field, Fundamentals of Information Systems Security, Fourth Edition provides a comprehensive overview of the concepts readers must know as they pursue careers in information systems security. The text opens with a discussion of emerging technologies and the risks, threats, and vulnerabilities associated with our digital world. Part II takes a deeper dive into the foundational knowledge areas and functions associated with a career in information security. The book closes with a survey of information security standards, professional certifications, and compliance laws. With its practical, conversational writing style and step-by-step examples, this text is a must-have resource for those entering the world of information systems security.
Table of Contents:
Cover
Title Page
Copyright Page
Dedication Page
Contents
Preface
New to This Edition
Acknowledgments
The Authors
CHAPTER 1 Information Systems Security
Information Systems Security
Risks, Threats, and Vulnerabilities
What Is Information Systems Security?
Compliance Laws and Regulations Drive the Need for Information Systems Security
Tenets of Information Systems Security
Confidentiality
Integrity
Availability
The Seven Domains of a Typical IT Infrastructure
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
Weakest Link in the Security of an IT Infrastructure
Ethics and the Internet
IT Security Policy Framework
Definitions
Foundational IT Security Policies
Data Classification Standards
Chapter Summary
Key Concepts and Terms
Chapter 1 Assessment
CHAPTER 2 Emerging Technologies Are Changing How We Live
Evolution of the Internet of Things
Converting to a Tcp/Ip World
IoT’s Impact on Human and Business Life
How People Like to Communicate
IoT Applications That Impact Our Lives
Evolution from Brick and Mortar to E-Commerce
Why Businesses Must Have an Internet and IoT Marketing Strategy
IP Mobility
Mobile Users and Bring Your Own Device
Mobile Applications
IP Mobile Communications
New Challenges Created by the IoT
Security
Privacy
Interoperability and Standards
Legal and Regulatory Issues
E-Commerce and Economic Development Issues
Chapter Summary
Key Concepts and Terms
Chapter 2 Assessment
CHAPTER 3 Risks, Threats, and Vulnerabilities
Risk Management and Information Security
Risk Terminology
Elements of Risk
Purpose of Risk Management
The Risk Management Process
Identify Risks
Assess and Prioritize Risks
Plan a Risk Response Strategy
Implement the Risk Response Plan
Monitor and Control Risk Response
IT and Network Infrastructure
Intellectual Property
Finances and Financial Data
Service Availability and Productivity
Reputation
Who Are the Perpetrators?
Risks, Threats, and Vulnerabilities in an IT Infrastructure
Threat Targets
Threat Types
What Is a Malicious Attack?
Birthday Attacks
Brute-Force Password Attacks
Credential Harvesting and Stuffing
Dictionary Password Attacks
IP Address Spoofing
Hijacking
Replay Attacks
Man-in-the-Middle Attacks
Masquerading
Eavesdropping
Social Engineering
Phreaking
Phishing
Pharming
What Are Common Attack Vectors?
Social Engineering Attacks
Wireless Network Attacks
Web Application Attacks
The Importance of Countermeasures
Chapter Summary
Key Concepts and Terms
Chapter 3 Assessment
CHAPTER 4 Business Drivers of Information Security
Risk Management’s Importance to the Organization
Understanding the Relationship between a BIA, a BCP, and a DRP
Business Impact Analysis (BIA)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Assessing Risks, Threats, and Vulnerabilities
Closing the Information Security Gap
Adhering to Compliance Laws
Keeping Private Data Confidential
Mobile Workers and Use of Personally Owned Devices
BYOD Concerns
Endpoint and Device Security
Chapter Summary
Key Concepts and Terms
Chapter 4 Assessment
CHAPTER 5 Networks and Telecommunications
The Open Systems Interconnection Reference Model
The Main Types of Networks
Wide Area Networks
Local Area Networks
TCP/IP and How It Works
TCP/IP Overview
IP Addressing
Common Ports
Common Protocols
Internet Control Message Protocol
Network Security Risks
Categories of Risk
Basic Network Security Defense Tools
Firewalls
Virtual Private Networks and Remote Access
Network Access Control
Voice and Video in an IP Network
Wireless Networks
Wireless Access Points
Wireless Network Security Controls
Chapter Summary
Key Concepts and Terms
Chapter 5 Assessment
CHAPTER 6 Access Controls
Four-Part Access Control
Two Types of Access Controls
Physical Access Control
Logical Access Control
Authorization Policies
Methods and Guidelines for Identification
Identification Methods
Identification Guidelines
Processes and Requirements for Authentication
Authentication Types
Single Sign-On
Policies and Procedures for Accountability
Log Files
Monitoring and Reviewing
Data Retention, Media Disposal, and Compliance Requirements
Formal Models of Access Control
Discretionary Access Control
Operating Systems–Based DAC
Mandatory Access Control
Nondiscretionary Access Control
Rule-Based Access Control
Access Control Lists
Role-Based Access Control
Content-Dependent Access Control
Constrained User Interface
Other Access Control Models
Effects of Breaches in Access Control
Threats to Access Controls
Effects of Access Control Violations
Credential and Permissions Management
Centralized and Decentralized Access Control
Types of AAA Servers
Decentralized Access Control
Privacy
Chapter Summary
Key Concepts and Terms
Chapter 6 Assessment
CHAPTER 7 Cryptography
What Is Cryptography?
Basic Cryptographic Principles
A Brief History of Cryptography
Cryptography’s Role in Information Security
Business and Security Requirements for Cryptography
Internal Security
Security in Business Relationships
Security Measures That Benefit Everyone
Cryptographic Principles, Concepts, and Terminology
Cryptographic Functions and Ciphers
Types of Ciphers
Transposition Ciphers
Substitution Ciphers
Product and Exponentiation Ciphers
Symmetric and Asymmetric Key Cryptography
Symmetric Key Ciphers
Asymmetric Key Ciphers
Cryptanalysis and Public Versus Private Keys
Keys, Keyspace, and Key Management
Cryptographic Keys and Keyspace
Key Management
Key Distribution
Key Distribution Centers
Digital Signatures and Hash Functions
Hash Functions
Digital Signatures
Cryptographic Applications and Uses in Information System Security
Other Cryptographic Tools and Resources
Symmetric Key Standards
Asymmetric Key Solutions
Hash Function and Integrity
Digital Signatures and Nonrepudiation
Principles of Certificates and Key Management
Modern Key Management Techniques
Chapter Summary
Key Concepts and Terms
Chapter 7 Assessment
CHAPTER 8 Malicious Software and Attack Vectors
Characteristics, Architecture, and Operations of Malicious Software
The Main Types of Malware
Viruses
Spam
Worms
Trojan Horses
Logic Bombs
Active Content Vulnerabilities
Malicious Add-Ons
Injection
Botnets
Denial of Service Attacks
Spyware
Adware
Phishing
Keystroke Loggers
Hoaxes and Myths
Homepage Hijacking
Webpage Defacements
A Brief History of Malicious Code Threats
1970s and Early 1980s: Academic Research and UNIX
1980s: Early PC Viruses
1990s: Early LAN Viruses
Mid-1990s: Smart Applications and the Internet
2000 to the Present
Threats to Business Organizations
Types of Threats
Internal Threats from Employees
Anatomy of an Attack
What Motivates Attackers?
The Purpose of an Attack
Types of Attacks
Phases of an Attack
Attack Prevention Tools and Techniques
Application Defenses
Operating System Defenses
Network Infrastructure Defenses
Safe Recovery Techniques and Practices
Implementing Effective Software Best Practices
Intrusion Detection Tools and Techniques
Antivirus Scanning Software
Network Monitors and Analyzers
Content/Context Filtering and Logging Software
Honeypots and Honeynets
Chapter Summary
Key Concepts and Terms
Chapter 8 Assessment
CHAPTER 9 Security Operations and Administration
Security Administration
Controlling Access
Documentation, Procedures, and Guidelines
Disaster Assessment and Recovery
Security Outsourcing
Compliance
Event Logs
Compliance Liaison
Remediation
Professional Ethics
Common Fallacies About Ethics
Codes of Ethics
Personnel Security Principles
The Infrastructure for an IT Security Policy
Policies
Standards
Procedures
Baselines
Guidelines
Data Classification Standards
Information Classification Objectives
Examples of Classification
Classification Procedures
Assurance
Configuration Management
Hardware Inventory and Configuration Chart
The Change Management Process
Change Control Management
Change Control Committees
Change Control Procedures
Change Control Issues
Application Software Security
The System Life Cycle
Testing Application Software
Software Development and Security
Software Development Models
Chapter Summary
Key Concepts and Terms
Chapter 9 Assessment
CHAPTER 10 Auditing, Testing, and Monitoring
Security Auditing and Analysis
Security Controls Address Risk
Determining What Is Acceptable
Permission Levels
Areas of Security Audits
Purpose of Audits
Customer Confidence
Defining the Audit Plan
Defining the Scope of the Plan
Auditing Benchmarks
Audit Data Collection Methods
Areas of Security Audits
Control Checks and Identity Management
Post-Audit Activities
Exit Interview
Data Analysis
Generation of Audit Report
Presentation of Findings
Security Monitoring
Security Monitoring for Computer Systems
Monitoring Issues
Logging Anomalies
Log Management
Types of Log Information to Capture
How to Verify Security Controls
Intrusion Detection System
Analysis Methods
HIDS
Layered Defense: Network Access Control
Control Checks: Intrusion Detection
Host Isolation
System Hardening
Monitoring and Testing Security Systems
Monitoring
Testing
Chapter Summary
Key Concepts and Terms
Chapter 10 Assessment
CHAPTER 11 Contingency Planning
Business Continuity Management
Emerging Threats
Static Environments
Terminology
Assessing Maximum Tolerable Downtime
Business Impact Analysis
Plan Review
Testing the Plan
Backing Up Data and Applications
Types of Backups
Incident Handling
Preparation
Identification
Notification
Response
Recovery
Follow-Up
Documentation and Reporting
Recovery from a Disaster
Activating the Disaster Recovery Plan
Operating in a Reduced/Modified Environment
Restoring Damaged Systems
Disaster Recovery Issues
Recovery Alternatives
Interim or Alternate Processing Strategies
Chapter Summary
Key Concepts and Terms
Chapter 11 Assessment
CHAPTER 12 Digital Forensics
Introduction to Digital Forensics
Understanding Digital Forensics
Knowledge That Is Needed for Forensic Analysis
Overview of Computer Crime
Types of Computer Crime
The Impact of Computer Crime on Forensics
Forensic Methods and Labs
Forensic Methodologies
Setting Up a Forensic Lab
Collecting, Seizing, and Protecting Evidence
The Importance of Proper Evidence Handling
Imaging Original Evidence
Recovering Data
Undeleting Data
Recovering Data from Damaged Media
Operating System Forensics
Internals and Storage
Command-Line Interface and Scripting
Mobile Forensics
Mobile Device Evidence
Seizing Evidence from a Mobile Device
Chapter Summary
Key Concepts and Terms
Chapter 12 Assessment
CHAPTER 13 Information Security Standards
Standards Organizations
National Institute of Standards and Technology
International Organization for Standardization
International Electrotechnical Commission
World Wide Web Consortium
Internet Engineering Task Force
Institute of Electrical and Electronics Engineers
International Telecommunication Union Telecommunication Sector
American National Standards Institute
European Telecommunications Standards Institute Cyber Security Technical Committee
ISO 17799 (Withdrawn)
ISO/IEC 27002
Payment Card Industry Data Security Standard
Chapter Summary
Key Concepts and Terms
Chapter 13 Assessment
CHAPTER 14 Information Security Certifications
U.S. Department of Defense/Military Directive 8570.01
U.S. DoD/Military Directive 8140
U.S. DoD Training Framework
Vendor-Neutral Professional Certifications
International Information Systems Security Certification Consortium, Inc.
Global Information Assurance Certification/SANS Institute
Certified Internet Web Professional
CompTIA
ISACA®
Other Information Systems Security Certifications
Vendor-Specific Professional Certifications
Cisco Systems
Juniper Networks
RSA
Symantec
Check Point
Chapter Summary
Key Concepts and Terms
Chapter 14 Assessment
CHAPTER 15 Compliance Laws
Compliance Is the Law
Federal Information Security
The Federal Information Security Management Act of 2002
The Federal Information Security Modernization Act of 2014
The Role of the National Institute of Standards and Technology
National Security Systems
The Health Insurance Portability and Accountability Act (HIPAA)
Purpose and Scope
Main Requirements of the HIPAA Privacy Rule
Main Requirements of the HIPAA Security Rule
Oversight
Omnibus Regulations
The Gramm-Leach-Bliley Act
Purpose and Scope
Main Requirements of the GLBA Privacy Rule
Main Requirements of the GLBA Safeguards Rule
Oversight
The Sarbanes-Oxley Act
Purpose and Scope
SOX Control Certification Requirements
SOX Records Retention Requirements
Oversight
The Family Educational Rights and Privacy Act
Purpose and Scope
Main Requirements
Oversight
The Children’s Online Privacy Protection Act of 1998
The Children’s Internet Protection Act
Purpose and Scope
Main Requirements
Oversight
Payment Card Industry Data Security Standard
Purpose and Scope
Self-Assessment Questionnaire
General Data Protection Regulation
California Consumer Privacy Act
Making Sense of Laws for Information Security Compliance
Chapter Summary
Key Concepts and Terms
Chapter 15 Assessment
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
APPENDIX C Earning the CompTIA Security+ Certification
Glossary of Key Terms
References
Index
David Kim is the president of Security Evolutions, Inc. (SEI; www.security-evolutions.com), located outside the Washington, DC, metropolitan area. SEI provides governance, risk, and compliance consulting services for public and private sector clients globally. SEI’s clients include healthcare institutions, banking institutions, governments, and international airports. SEI’s IT security consulting services include security risk assessments, vulnerability assessments, compliance audits, and designing of layered security solutions for enterprises. In addition, available services include developing business continuity and disaster recovery plans. Mr. Kim’s IT and IT security experience encompasses more than 30+ years of technical engineering, technical management, and sales and marketing management. This experience includes LAN/WAN, internetworking, enterprise network management, and IT security for voice, video, and data networking infrastructures. He is an accomplished author and part-time adjunct professor who enjoys teaching cybersecurity to students across the United States.
Michael G. Solomon, PhD, CISSP, PMP, CISM, CySA+, Pentest+, is an author, educator, and consultant focusing on privacy, security, blockchain, and identity management. As an IT professional and consultant since 1987, Dr. Solomon has led project teams for many Fortune 500 companies and has authored and contributed to more than 30 books and numerous training courses. Dr. Solomon is a Professor of Computer and Information Sciences at the University of the Cumberlands and holds a Ph.D. in Computer Science and Informatics from Emory University.
What makes us different?
• Instant Download
• Always Competitive Pricing
• 100% Privacy
• FREE Sample Available
• 24-7 LIVE Customer Support