Implementing Internet Security

Similar documents
716 West Ave Austin, TX USA

University of Pittsburgh Security Assessment Questionnaire (v1.7)

10 Defense Mechanisms

Strategic Infrastructure Security

SECURITY & PRIVACY DOCUMENTATION

Syllabus: The syllabus is broadly structured as follows:

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Why Firewalls? Firewall Characteristics

Information Security Policy

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Security in Computing

IS Today: Managing in a Digital World 9/17/12

Network Security and Cryptography. 2 September Marking Scheme

Annual Report on the Status of the Information Security Program

Security+ SY0-501 Study Guide Table of Contents

The Honest Advantage

2. INTRUDER DETECTION SYSTEMS

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Checklist: Credit Union Information Security and Privacy Policies

SECURING DEVICES IN THE INTERNET OF THINGS

Sair 3X Linux Security, Privacy and Ethics (Level 1)

SECURING DEVICES IN THE INTERNET OF THINGS

Objectives of the Security Policy Project for the University of Cyprus

CYBER SECURITY AND MITIGATING RISKS

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Security Policies and Procedures Principles and Practices

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Top-Down Network Design

Information Security Training Needs Assessment Study. Dr. Melissa Dark CERIAS Assistant Professor Continuing Education Director

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Securing Devices in the Internet of Things

Security Standards for Information Systems

Introduction to Computing

Juniper Vendor Security Requirements

HOLY ANGEL UNIVERSITY COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY CYBER SECURITY COURSE SYLLABUS

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Instructor: Eric Rettke Phone: (every few days)

POLICY 8200 NETWORK SECURITY

NYDFS Cybersecurity Regulations

Distributed Systems. Lecture 14: Security. 5 March,

Children s Health System. Remote User Policy

Certified Cyber Security Analyst VS-1160

Network Security: Firewall, VPN, IDS/IPS, SIEM

Security Assessment Checklist

ISO27001 Preparing your business with Snare

Lakeshore Technical College Official Policy

Keep the Door Open for Users and Closed to Hackers

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

HIPAA Compliance Checklist

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Security Audit & Roadmap Business Process and

Cyber Security Program

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Chapter 9. Firewalls

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Altius IT Policy Collection Compliance and Standards Matrix

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Information Security Management System

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Department of Computer Science and Engineering NITK, Surathkal IS703 - Network Security [M. Tech-ISE] (Syllabus and Assessment Plan)

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

HIPAA Security and Privacy Policies & Procedures

Netherlands Cyber Security Strategy. Michel van Leeuwen Head of Cyber Security Policy Ministry of Security and Justice

Perspectives on Threat

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

IPM Secure Hardening Guidelines

HP Instant Support Enterprise Edition (ISEE) Security overview

CyberArk Privileged Threat Analytics

MAKING SECURITY AWARENESS HAPPEN: APPENDICES

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Security: Focus of Control. Authentication

VMware vcloud Air SOC 1 Control Matrix

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

CND Exam Blueprint v2.0

Data Security Essentials

19.1. Security must consider external environment of the system, and protect it from:

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Apex Information Security Policy

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Server Security Procedure

Trusted Computing Group

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Security of Information Technology Resources IT-12

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Transcription:

Implementing Internet Security Frederic J. Cooper Chris Goggans John K. Halvey, Larry Hughes / ' Lisa Morgan Karanjit Siyan William Stallings Peter Stephenson 8UB Qattlngen 7 204437989 New Riders Publishing lulkala Indianapolis, Indiana NEW RIDERS PUBLISHING

IMPLEMENTING INTERNET SECURITY TABLE OF CONTENTS 1 Definition of Security 1 The Times, and Security Requirements, Change 2 What Is Security, Anyway? 3 Implementing Security 7 Layering Security 8 Some Approaches 9 2 Applicable Standards and Principles 13 Department of Defense C2 Principles 14 Security Policy 15 Accountability 18 Assurance 19 Design Documentation 22 Putting C2 in Context with Your Requirements 22 Using the Red Book to Interpret C2 for Networks 24 Security Policy 24 Accountability 26 Assurance 27 Documentation 29 The Generally Accepted System Security Principles (GSSP) 30 The Role of Standards 35 3 Authentication and Authorization 37 Access Control 38 The Authentication Dilemma 40 Monitoring and Control 46 Access Control Subsystems and Secure Single Sign-On 49 Vlll

TABLE OF CONTENTS 4 Local Workstation and Networking Holes 55 Prevention 56 Protect the root Account 56 Secure Terminals 56 User Account and Password Management 58 Limit Account Lifetime 58 Choose Secure Passwords 58 Crack Your Own Passwords 59 Implement Shadow Passwords 59 Implement Password Aging 60 Server Filters 60 TCP Wrapper 61 xinetd 63 Network Applications and Services 64 Trusted Hosts 64 sendmail 65 finger 68 Tape Backup and Restore 69 File Transfer Protocol (FTP) 70 tftpd 72 TheXWindow System 72 NFS 74 Detection 75 Observe System Files 75 Monitor User Login Habits 76 Detection Tools 76 Cure. 77 Change the Account Shell 78 Disable Local FTP Access 79 Change the Account Password 79 Expire the Account 79 Disable or Restrict Trusted Host Access 79 Change File Ownerships and Protections...80 Remove Files Owned by the Account 80 IX

IMPLEMENTING INTERNET SECURITY 5 Firewalls 81 Firewall Components 82 Screening Routers 83 Identifying Zones of Risk 83 Screening Routers and Firewalls in Relation to the OS1Model 85 Packet Filtering 86 Packet Filtering and Network Policy 86 A Simple Model for Packet Filtering 87 Packet Filter Operations 88 Designing a Packet Filter 90 Packet Filter Rules and Full Associations 95 Dual-Homed Host 97 Compromising the Security ofa Dual-Homed Firewall 100 Services on a Dual-Homed Firewall 101 Bastion Host 101 Simplest Deployment of a Bastion Host 102 Screened Host Gateway 102 Application Level Gateways 103 6 Secure Transactions: PGP and Kerberos 107 Pretty Good Privacy 108 Public Keys 110 Private Keys Ill Digital Signatures Ill Compression 113 Message Encryption 114 Radix-64Conversion 115 The Order of Operations in PGP 116 Public Key Management 117 PGP Versions 118 Where To Get PGP 119 X

TABLE OF CONTENTS Kerberos 119 The Kerberos Protocol 120 Kerberos Realms and Multiple Kerberi 124 Version 4 and Version 5 126 Performance Issues 126 Kerberos Now 127 7 Audit Trails 129 Audit Trails under Unix 130 Common Unix Logs 130 Process Accounting 138 Useful Utilities in Auditing 140 Other Reporting Tools Available Online 142 Audit Trails under Windows NT 144 Using the Event Viewer 145 Logging the ftp Server Service 147 Logging httpd Transactions 148 Logging by Other TCP/IP Applications under NT 148 Audit Trails under DOS 149 PC/DACS 149 Watchdog 150 LOCK 150 Using System Logs to Discover Intruders 150 Common Break-In Indications 151 Potential Problems 151 8 Legal Considerations 155 Electronic Rights: Copyrights Online 156 An Overview of Copyright Law 156 The National Infrastructure Task Force Proposed Changes to the Copyright Act 160 Copyrights on the Internet 161 XI

IMPLEMENTING INTERNET SECURITY Freedom of Expression 163 The First Amendment and Its Protection 163 Defamation 166 Privacy 168 Federal and State Law 170 The Electronic Communications Privacy Act 170 The Computer Fraud and Abuse Act 172 State Computer Crime Law 172 Trademark Law and the Internet 173 9 Internet Commerce 189 Internet Commerce Isn't New 190 Credit Cards 191 Modern Internet Commerce 192 Internet Commerce: What's the Big Deal? 193 Management Issues 194 Threats from Employees and Criminal Hackers 194 VANs and Internet Commerce 195 How Real Is Internet Commerce? 195 How Does Internet Commerce Relate to Existing Financial Systems? 196 How Financial Systems Are Affected by Online Capabilities 196 Internet Commerce Companies and Organizations 196 CommerceNet 197 CyberCash, Inc. 198 DigiCash 199 First Virtual Holdings, Inc. 200 Internet Shopping Network 202 Netscape Communications Corporation 203 Open Market 203 Proprietary Systems 205

TABLE OF CONTENTS Digital Cash 206 The Importance of Digital Cash Anonymity 207 How Digital Cash Is Generated 207 The Internet: The First Nation in Cyberspace 208 Digital Checks 209 Blind Signatures An Added Measure of Privacy 209 Digital Signatures 209 Sales, Marketing, and IS 210 Keeping an Eye on Implementation 210 The Role of the Network Manager 211 10 Improving the Security of Your Site by Breaking Into It 213 Overview 215 Gaining Information 217 Trust 227 Protecting the system 229 Conclusions 230 Appendix A 231 Appendix B 231 Appendix C 232 Appendix D 233 Bibliography 234 Suggested reading 234 A RFC Index List 235 B RFC 1244 - The Site Security Handbook 273 Contributing Authors 274 1. Introduction 274 1.1 Purpose of thiswork 274 1.2 Audience 275 1.3 Definitions 275 1.4 Related Work 275 1.5 Scope 276

IMPLEMENTING INTERNET SECURITY 1.6 Why Do We Need Security Policies and Procedures? 276 1.7 Basic Approach 278 1.8 Organization of this Document 278 2. Establishing Official Site Policy on Computer Security 279 2.1 Brief Overview 279 2.2 Risk Assessment 281 2.3 Policy Issues 283 2.4 What Happens When the Policy is Violated 289 2.5 Locking In or Out 291 2.6Interpreting the Policy 292 2.7Publicizing the Policy 293 3. Establishing Procedures to Prevent Security Problems 293 3.1 Security Policy Defines What Needs to be Protected 293 3.2 Identifing Possible Problems 294 3.3 Choose Controb to Protect Assets in a Cost-Effective Way 295 3.4 Use Multiple Strategies to Protect Assets 296 3.5 Physical Security 296 3.6 Procedures to Recognize Unauthorized Activity 297 3.7 Define Actions to Take When Unauthorized Activity is Suspected 299 3.8 Communicating Security Policy 299 3.9 Resources to Prevent Security Breaches 303 4. Types of Security Procedures 321 4.1 System Security Audits 321 4.2 Account Management Procedures 322 4.3 Password Management Procedures 323 4.4 Configuration Management Procedures 325 XIV

5. Incident Handling 326 5.1 Overview 326 5.2 Evaluation 330 5.3 Possible Types ofnotification 332 5.4 Response 335 5.5 Legal!Investigative 338 5.6Documentation Logs 341 6. Establishing Post-Incident Procedures 342 6.1 Overview 342 6.2 Removing Vulnerabilities 342 6.3 Capturing Lessons Learned 344 6.4 Upgrading Policies and Procedures 345 7. References 345 8. Annotated Bibliography 347 8.1 Computer Law 347 8.2 Computer Security 349 8.3 Ethics 354 8.4 The Internet Worm 356 8.5 National Computer Security Center (NCSC) 358 8.6Security Checklists 361 8.7 Additional Publications 361 9. Acknowledgments 363 " 10. Security Considerations 363 11. Authors'Addresses 363 Index 365 XV

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback