Computer and Information
Security Handbook


The Morgan Kaufmann Series in Computer Security
Computer and Information Security Handbook
John Vacca
Disappearing Cryptography: Information Hiding: Steganography & Watermarking, Third Edition
Peter Wayner
Network Security: Know It All
James Joshi, et al.
Digital Watermarking and Steganography, Second Edition
Ingemar Cox, Matthew Miller, Jeffrey Bloom, Jessica Fridrich, and Ton Kalker
Information Assurance: Dependability and Security in Networked Systems
Yi Qian, David Tipper, Prashant Krishnamurthy, and James Joshi
Network Recovery: Protection and Restoration of Optical, SONET-SDH, IP, and MPLS
Jean-Philippe Vasseur, Mario Pickavet, and Piet Demeester
For further information on these books and for a list of forthcoming titles,
please visit our Web site at


Computer and Information
Security Handbook

Edited by
John R. Vacca

AMSTERDAM • BOSTON • HEIDELBERG • LONDON • NEW YORK
OXFORD • PARIS • SAN DIEGO • SAN FRANCISCO
SINGAPORE • SYDNEY • TOKYO

Morgan Kaufmann Publishers is an imprint of Elsevier


Morgan Kaufmann Publishers is an imprint of Elsevier.
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
This book is printed on acid-free paper.
Copyright © 2009 by Elsevier Inc. All rights reserved.
Exception to the above text:
Chapter 29: © 2009, The Crown in right of Canada.
Designations used by companies to distinguish their products are often claimed as trademarks or registered trademarks.
In all instances in which Morgan Kaufmann Publishers is aware of a claim, the product names appear in initial capital
or all capital letters. All trademarks that appear or are otherwise referred to in this work belong to their respective
owners. Neither Morgan Kaufmann Publishers nor the authors and other contributors of this work have any
relationship or affiliation with such trademark owners nor do such trademark owners confirm, endorse or approve the
contents of this work. Readers, however, should contact the appropriate companies for more information regarding
trademarks and any related registrations.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means—electronic, mechanical, photocopying, scanning, or otherwise—without prior written
permission of the publisher.
Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford,
UK: phone: (ϩ44) 1865 843830, fax: (ϩ44) 1865 853333, E-mail: You may also
complete your request online via the Elsevier homepage (), by selecting
“Support & Contact” then “Copyright and Permission” and then “Obtaining Permissions.”
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-0-12-374354-1
For information on all Morgan Kaufmann publications,

visit our Web site at www.mkp.com or www.elsevierdirect.com

Printed in the United States of America
09 10 11 12 13 5 4 3 2 1


This book is dedicated to my wife, Bee.


This page intentionally left blank


Contents

Foreword
Preface
Acknowledgments
About the Editor
Contributors

xxi
xxiii
xxvii
xxix
xxxi

2.

Famous Cryptographic Devices
The Lorenz Cipher

Enigma
3. Ciphers
The Substitution Cipher
The Shift Cipher
The Polyalphabetic Cipher
The Kasiski/Kerckhoff Method
4. Modern Cryptography
The Vernam Cipher (Stream Cipher)
The One-Time Pad
Cracking Ciphers
The XOR Cipher and Logical Operands
Block Ciphers
5. The Computer Age
Data Encryption Standard
Theory of Operation
Implementation
Rivest, Shamir, and Adleman (RSA)
Advanced Encryption Standard
(AES or Rijndael)

Part I
Overview of System and Network
Security: A Comprehensive
Introduction
1.

Building a Secure Organization

3


John Mallery
1.

Obstacles to Security
3
Security Is Inconvenient
3
Computers Are Powerful and Complex
3
Computer Users Are Unsophisticated
4
Computers Created Without a Thought
to Security
4
Current Trend Is to Share, Not Protect
4
Data Accessible from Anywhere
4
Security Isn’t About Hardware
and Software
5
The Bad Guys Are Very Sophisticated
5
Management Sees Security as a Drain
on the Bottom Line
5
2. Ten Steps to Building a Secure Organization 6
A. Evaluate the Risks and Threats
6
B. Beware of Common Misconceptions

8
C. Provide Security Training for
IT Staff—Now and Forever
9
D. Think “Outside the Box”
10
E. Train Employees: Develop a Culture
of Security
12
F. Identify and Utilize Built-In Security
Features of the Operating System and
Applications
14
G. Monitor Systems
16
H. Hire a Third Party to Audit Security
17
I. Don’t Forget the Basics
19
J. Patch, Patch, Patch
20

2.

A Cryptography Primer

23

Scott R. Ellis
1. What is Cryptography?

What is Encryption?
How Is Cryptography Done?

23
24

3

Preventing System Intrusions

24
24
24
25
25
26
29
30
31
31
32
33
34
35
36
36
37
38
38
38


39

Michael West
1. So, What is an Intrusion?
2. Sobering Numbers
3. Know Your Enemy: Hackers Versus
Crackers
4. Motives
5. Tools of the Trade
6. Bots
7. Symptoms of Intrusions
8. What Can You Do?
Know Today’s Network Needs
Network Security Best Practices
9. Security Policies
10. Risk Analysis
Vulnerability Testing
Audits
Recovery
11. Tools of Your Trade
Firewalls
Intrusion Prevention Systems
Application Firewalls
Access Control Systems
Unified Threat Management
12. Controlling User Access
Authentication, Authorization,
and Accounting
What the User Knows


39
40
40
41
41
42
43
43
44
45
45
46
46
47
47
47
47
47
48
48
49
49
49
49


viii

Contents


13.

4.

What the User Has
The User Is Authenticated,
But Is She Authorized?
Accounting
Keeping Current
Conclusion

Guarding Against Network
Intrusions

50
50
51
51
51

53

6.

6. Eliminating the Security Weakness
of Linux and Unix Operating
Systems

1. Traditional Reconnaissance and Attacks

2. Malicious Software
Lures and “Pull” Attacks
3. Defense in Depth
4. Preventive Measures
Access Control
Vulnerability Testing and Patching
Closing Ports
Firewalls
Antivirus and Antispyware Tools
Spam Filtering
Honeypots
Network Access Control
5. Intrusion Monitoring and Detection
Host-Based Monitoring
Traffic Monitoring
Signature-Based Detection
Behavior Anomalies
Intrusion Prevention Systems
6. Reactive Measures
Quarantine
Traceback
7. Conclusions

53
56
57
58
59
59
59

60
60
61
62
62
63
63
64
64
64
65
65
65
65
66
66

Unix and Linux Security

67

Gerald Beuchelt
1.
2.

4.

5.

Unix and Security

The Aims of System Security
Achieving Unix Security
Basic Unix Security
Traditional Unix Systems
Standard File and Device Access
Semantics
Protecting User Accounts
and Strengthening Authentication
Establishing Secure Account Use
The Unix Login Process
Controlling Account Access
Noninteractive Access
Other Network Authentication
Mechanisms
Risks of Trusted Hosts and Networks
Replacing Telnet, rlogin, and FTP
Servers and Clients with SSH
Reducing Exposure to Threats by
Limiting Superuser Privileges
Controlling Root Access

76
76

79

Mario Santana

Tom Chen and Patrick J. Walsh


5.

Safeguarding Vital Data by Securing
Local and Network File Systems
Directory Structure and Partitioning
for Security

67
67
67
68
68
69
71
71
71
71
72

7.

1.

Introduction to Linux and Unix
What Is Unix?
What Is Linux?
System Architecture
2. Hardening Linux and Unix
Network Hardening
Host Hardening

Systems Management Security
3. Proactive Defense for Linux and Unix
Vulnerability Assessment
Incident Response Preparation
Organizational Considerations

79
79
80
82
84
84
88
90
90
90
91
92

Internet Security

93

Jesse Walker
1.

Internet Protocol Architecture
Communications Architecture Basics
Getting More Specific
2. An Internet Threat Model

The Dolev-Yao Adversary Model
Layer Threats
3. Defending Against Attacks on
the Internet
Layer Session Defenses
Session Startup Defenses
4. Conclusion

8. The Botnet Problem

105
106
113
117

119

Xinyuan Wang and Daniel Ramsbrock
1.
2.
3.
4.
5.

73
73
73
74
74


93
94
95
100
101
101

6.

Introduction
Botnet Overview
Origins of Botnets
Botnet Topologies and Protocols
Typical Bot Life Cycle
The Botnet Business Model
Botnet Defense
Detecting and Removing
Individual Bots
Detecting C&C Traffic
Detecting and Neutralizing
the C&C Servers
Attacking Encrypted C&C Channels
Locating and Identifying the Botmaster
Botmaster Traceback
Traceback Challenges

119
120
120
120

122
123
124
124
125
125
126
128
128
129


ix

Contents

7.

9.

Traceback Beyond the Internet
Summary

Intranet Security

130
132

18. Application-layer Firewalls:
Proxy Servers

19. Stateful Inspection Firewalls
20. NIDS Complements Firewalls
21. Monitor and Analyze
System Activities
Analysis Levels
22. Signature Analysis
23. Statistical Analysis
24. Signature Algorithms
Pattern Matching
Stateful Pattern Matching
Protocol Decode-based Analysis
Heuristic-Based Analysis
Anomaly-Based Analysis

133

Bill Mansoor
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.

14.

10.

Plugging the Gaps: NAC
and Access Control
Measuring Risk: Audits
Guardian at the Gate: Authentication
and Encryption
Wireless Network Security
Shielding the Wire: Network
Protection
Weakest Link in Security:
User Training
Documenting the Network:
Change Management
Rehearse the Inevitable:
Disaster Recovery
Controlling Hazards: Physical
and Environmental Protection
Know Your Users:
Personnel Security
Protecting Data Flow:
Information and System Integrity
Security Assessments
Risk Assessments
Conclusion

Local Area Network Security


136
137
138
139
141
142

11. Wireless Network Security

142

Chunming Rong and Erdal Cayirci

143

1.

145
146
146
147
148
148

149

Dr. Pramod Pandya
1.
2.
3.

4.
5.
6.
7.
8.
9.
10.
11.

12.
13.
14.
15.
16.
17.

Identify network threats
Disruptive
Unauthorized Access
Establish Network Access Controls
Risk Assessment
Listing Network Resources
Threats
Security Policies
The Incident-handling Process
Secure Design Through Network
Access Controls
Ids Defined
NIDS: Scope and Limitations
A Practical Illustration of NIDS

UDP Attacks
TCP SYN (Half-Open) Scanning
Some Not-So-Robust Features
of NIDS
Firewalls
Firewall Security Policy
Configuration Script for sf Router
Dynamic Nat Configuration
The Perimeter
Access List Details
Types of Firewalls
Packet Filtering: IP Filtering Routers

150
150
150
150
151
151
151
151
152
152
153
154
154
154
155
156
158

159
160
160
160
162
162
162

12.

163
163
163
163
164
164
164
164
164
165
165
166
166

169

Cellular Networks
Cellular Telephone Networks
802.11 Wireless LANs
2. Wireless Ad Hoc Networks

Wireless Sensor Networks
Mesh Networks
3. Security Protocols
WEP
WPA and WPA2
SPINS: Security Protocols for
Sensor Networks
4. Secure Routing
SEAD
Ariadne
ARAN
SLSP
5. Key Establishment
Bootstrapping
Key Management
References

169
170
170
171
171
171
172
172
173
173
175
175
176

176
177
177
177
178
181

Cellular Network Security

183

Peng Liu, Thomas F. LaPorta and
Kameswari Kotapati
1. Introduction
2. Overview of Cellular Networks
Overall Cellular Network
Architecture
Core Network Organization
Call Delivery Service
3. The State of the Art of Cellular
Network Security
Security in the Radio Access
Network
Security in Core Network
Security Implications of Internet
Connectivity
Security Implications of PSTN
Connectivity

183

184
184
185
185
186
186
187
188
188


x

Contents

4.

Cellular Network Attack Taxonomy
Abstract Model
Abstract Model Findings
Three-Dimensional Attack
Taxonomy
5. Cellular Network Vulnerability
Analysis
Cellular Network Vulnerability
Assessment Toolkit (CAT)
Advanced Cellular Network
Vulnerability Assessment
Toolkit (aCAT)
Cellular Network Vulnerability

Assessment Toolkit for evaluation
(eCAT)
6. Discussion
References

13.

RFID Security

189
189
189
192
193
195
198
199
201
202

205

Chunming Rong and Erdal Cayirci
1.

RFID Introduction
RFID System Architecture
RFID Standards
RFID Applications
2. RFID Challenges

Counterfeiting
Sniffing
Tracking
Denial of Service
Other Issues
Comparison of All Challenges
3. RFID Protections
Basic RFID System
RFID System Using Symmetric-Key
Cryptography
RFID System Using Public-key
Cryptography
References

205
205
207
208
209
209
209
209
210
210
212
212
212
215
217
219


Part II
Managing Information Security
14.

Information Security Essentials
for IT Managers, Protecting
Mission-Critical Systems

Impact of Security Breaches
Protecting Mission-critical Systems
Information Assurance
Information Risk Management
Defense in Depth
Contingency Planning
3. Information Security from
the Ground Up
Physical Security
Data Security
Systems and Network Security
Business Communications Security
Wireless Security
Web and Application Security
Security Policies and Procedures
Security Employee Training
and Awareness
4. Security Monitoring
and Effectiveness
Security Monitoring Mechanisms
Incidence Response and Forensic

Investigations
Validating Security Effectiveness
References

251
251
252

Security Management Systems

255

2.

15.

Information Security Essentials
for IT Managers, Overview
Scope of Information Security
Management
CISSP Ten Domains of Information
Security
What is a Threat?
Common Attacks

236
236
237
239
241

242
246
247
248
249
250

Joe Wright and Jim Harmening
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Security Management
System Standards
Training Requirements
Principles of Information Security
Roles and Responsibilities
of Personnel
Security Policies
Security Controls
Network Access
Risk Assessment
Incident Response

Summary

255
256
256
256
256
257
257
257
258
258

16. Information Technology Security
Management
259
Rahul Bhasker and Bhushan Kapoor

225

1.

Albert Caballero
1.

231
231
231
231
233

233

225
225

2.

225
227
228

3.

Information Security Management
Standards
Federal Information Security
Management Act
International Standards Organization
Other Organizations Involved
in Standards
Information Technology
security aspects
Security Policies and Procedures
IT Security Processes
Conclusion

259
259
260
260

260
261
263
267


xi

Contents

17.

Identity Management

269

Dr. Jean-Marc Seigneur and Dr. Tewfiq El
Malika
1.
2.

Introduction
Evolution of Identity Management
Requirements
Digital Identity Definition
Identity Management Overview
Privacy Requirement
User-Centricity
Usability Requirement
3. The Requirements Fulfilled

by Current Identity Management
Technologies
Evolution of Identity Management
Identity 2.0
4. Identity 2.0 for Mobile Users
Mobile Web 2.0
Mobility
Evolution of Mobile Identity
The Future of Mobile User-Centric
Identity Management in an Ambient
Intelligence World
Research Directions
5. Conclusion

18.

Intrusion Prevention and
Detection Systems

Computer Forensics

307

Scott R. Ellis
269
269
270
270
272
272

273
274
274
278
286
286
287
287
290
292
292

293

Christopher Day
1. What is an “Intrusion,” Anyway?
Physical Theft
Abuse of Privileges (The Insider Threat)
2. Unauthorized Access by an
Outsider
3. Malware Infection
4. The Role of the “0-day”
5. The Rogue’s Gallery:
Attackers and Motives
6. A Brief Introduction to TCP/IP
7. The TCP/IP data Architecture and
Data Encapsulation
8. Survey of Intrusion Detection
and Prevention Technologies
9. Anti-Malware Software

10. Network-based Intrusion
Detection Systems
11. Network-based Intrusion
Prevention Systems
12. Host-based Intrusion
Prevention Systems
13. Security Information
Management Systems
14. Network Session Analysis
15. Digital Forensics
16. System Integrity Validation
17. Putting it all Together

19.

293
293
293
294
294
295
296
297
298
300
301
302
303
304
304

304
305
306
306

1. What is Computer Forensics?
2. Analysis of Data
Computer Forensics and Ethics,
Green Home Plate Gallery View
Database Reconstruction
3. Computer Forensics in the Court
System
4. Understanding Internet History
5. Temporary Restraining Orders
and Labor Disputes
Divorce
Patent Infringement
When to Acquire, When to
Capture Acquisition
Creating Forensic Images Using
Software and Hardware
Write Blockers
Live Capture of Relevant Files
Redundant Array of Independent
(or Inexpensive) Disks (RAID)
File System Analyses
NTFS
The Role of the Forensic Examiner
in Investigations and File
Recovery

Password Recovery
File Carving
Things to Know: How Time stamps
Work
Experimental Evidence
Email Headers and Time stamps,
Email Receipts, and Bounced
Messages
Steganography “Covered Writing”
5. First Principles
6. Hacking a Windows XP Password
Net User Password Hack
Lanman Hashes and Rainbow
Tables
Password Reset Disk
Memory Analysis and the Trojan
Defense
User Artifact Analysis
Recovering Lost and Deleted Files
Email
Internet History
7. Network Analysis
Protocols
Analysis
8. Computer Forensics Applied
Tracking. Inventory, Location
of Files, Paperwork, Backups,
and So On
Testimonial
Experience Needed

Job Description, Technologist

307
308
309
310
310
312
312
313
313
313
313
314
314
314
315
315
317
318
320
321
322
324
325
325
325
325
326
326

326
327
327
327
328
328
328
329
329
329
329
329


xii

Contents

Job Description Management
Commercial Uses
Solid Background
Education/Certification
Programming and Experience
Publications
9. Testifying as an Expert
Degrees of Certainty
Certainty Without Doubt
10. Beginning to End in Court
Defendants, Plaintiffs,
and Prosecutors

Pretrial Motions
Trial: Direct and Cross-Examination
Rebuttal
Surrebuttal
Testifying: Rule 702. Testimony
by Experts
Correcting Mistakes: Putting Your
Head in the Sand

20.

Network Forensics

330
330
330
330
331
331
332
332
334
334

11.
12.

13.

334

335
335
335
335

14.
15.

335
336

339

Yong Guan
1. Scientific Overview
2. The Principles of Network Forensics
3. Attack Traceback and Attribution
IP Traceback
Stepping-Stone Attack Attribution
4. Critical Needs Analysis
5. Research Directions
VoIP Attribution

21.

Firewalls

16.
17.


339
340
341
341
344
346
346
346

18.

19.

349

Dr. Errin W. Fulp
1.
2.
3.
4.
5.

6.

7.
8.
9.
10.

Network Firewalls

Firewall Security Policies
Rule-Match Policies
A Simple Mathematical Model
for Policies, Rules, and Packets
First-match Firewall Policy
Anomalies
Policy Optimization
Policy Reordering
Combining Rules
Default Accept or Deny?
Firewall Types
Packet Filter
Stateful Packet Firewalls
Application Layer Firewalls
Host and Network Firewalls
Software and Hardware Firewall
Implementations
Choosing the Correct Firewall
Firewall Placement and
Network Topology
Demilitarized Zones
Perimeter Networks

349
350
351

20.
21.


22.

Two-Router Configuration
Dual-Homed Host
Network Configuration Summary
Firewall Installation and
Configuration
Supporting Outgoing Services
Through Firewall Configuration
Forms of State
Payload Inspection
Secure External Services
Provisioning
Network Firewalls for Voice and
Video Applications
Packet Filtering H.323
Firewalls and Important
Administrative Service Protocols
Routing Protocols
Internet Control Message
Protocol
Network Time Protocol
Central Log File Management
Dynamic Host Configuration
Protocol
Internal IP Services Protection
Firewall Remote Access
Configuration
Load Balancing and
Firewall Arrays

Load Balancing in Real Life
How to Balance the Load
Advantages and Disadvantages
of Load Balancing
Highly Available Firewalls
Load Balancer Operation
Interconnection of Load Balancers
and Firewalls
Firewall Management
Conclusion

Penetration Testing

351

Sanjay Bavisi

352
352
352
353
353
353
354
354
354
355

1. What is Penetration Testing?
2. How does Penetration Testing

Differ from an Actual “Hack?”
3. Types of Penetration Testing
4. Phases of Penetration Testing
The Pre-Attack Phase
The Attack Phase
The Post-Attack Phase
5. Defining What’s Expected
6. The Need for a Methodology
7. Penetration Testing
Methodologies
8. Methodology in Action
EC-Council LPT Methodology
9. Penetration Testing Risks
10. Liability Issues
11. Legal Consequences

355
355
356
357
357

357
358
358
358
359
359
360
360

360
361
361
361
362
362
362
363
363
364
365
365
365
366
366
366
366
367
367

369
369
370
371
373
373
373
373
374
375

375
376
376
378
378
379


xiii

Contents

12. “Get out of jail free” Card
13. Penetration Testing Consultants
14. Required Skill Sets
15. Accomplishments
16. Hiring a Penetration Tester
17. Why Should a Company
Hire You?
Qualifications
Work Experience
Cutting-Edge Technical Skills
Communication Skills
Attitude
Team Skills
Company Concerns
18. All’s Well that Ends Well

23. What Is Vulnerability
Assessment?


379
379
380
380
380
381
381
381
381
381
381
381
381
382

383

Part III
Encryption Technology
24.

Data Encryption
Dr. Bhushan Kapoor and Dr. Pramod
Pandya
1.

2.

3.


Almantas Kakareka
1. Reporting
2. The “It Won’t Happen to Us” Factor
3. Why Vulnerability Assessment?
4. Penetration Testing Versus
Vulnerability Assessment
5. Vulnerability Assessment Goal
6. Mapping the Network
7. Selecting the Right Scanners
8. Central Scans Versus Local Scans
9. Defense in Depth Strategy
10. Vulnerability Assessment Tools
Nessus
GFI LANguard
Retina
Core Impact
ISS Internet Scanner
X-Scan
Sara
QualysGuard
SAINT
MBSA
11. Scanner Performance
12. Scan Verification
13. Scanning Cornerstones
14. Network Scanning
Countermeasures
15. Vulnerability Disclosure Date
Find Security Holes Before

They Become Problems
16. Proactive Security Versus Reactive
Security
17. Vulnerability Causes
Password Management Flaws
Fundamental Operating
System Design Flaws
Software Bugs
Unchecked User Input
18. DIY Vulnerability Assessment
19. Conclusion

383
383
384
384
385
385
386
387
388
388
388
389
389
389
389
389
389
389

389
389
390
390
390

4.

5.

390
391
391
392
392
392
392
392
392
393
393

397

6.

7.
8.
9.


Need for Cryptography
Authentication
Confidentiality
Integrity
Nonrepudiation
Mathematical Prelude to Cryptography
Mapping or Function
Probability
Complexity
Classical Cryptography
The Euclidean Algorithm
The Extended Euclidean Algorithm
Modular Arithmetic
Congruence
Residue Class
Inverses
Fundamental Theorem
of Arithmetic
Congruence Relation Defined
Substitution Cipher
Transposition Cipher
Modern Symmetric Ciphers
S-Box
P-Boxes
Product Ciphers
Algebraic Structure
Definition Group
Definitions of Finite and Infinite
Groups (Order of a Group)
Definition Abelian Group

Examples of a Group
Definition: Subgroup
Definition: Cyclic Group
Rings
Definition: Field
Finite Fields GF(2n)
Modular Polynomial Arithmetic
Over GF(2)
Using a Generator to Represent
the Elements of GF(2n)
GF(23) Is a Finite Field
The Internal Functions of Rijndael
in AES Implementation
Mathematical Preliminaries
State
Use of Modern Block Ciphers
The Electronic Code Book (ECB)
Cipher-Block Chaining (CBC)
Public-key Cryptography
Review: Number Theory
Cryptanalysis of RSA
Factorization Attack

398
398
398
398
398
398
398

398
398
399
399
399
399
400
400
400
400
401
401
402
402
403
403
404
404
404
404
404
404
405
405
405
405
405
406
406
407

407
408
408
412
412
412
412
412
416
416


xiv

Contents

10.
11.

Diffie-Hellman Algorithm
Elliptic Curve Cryptosystems
An Example
Example of Elliptic Curve Addition
EC Security
12. Message Integrity and
Authentication
Cryptographic Hash Functions
Message Authentication
Digital Signature
Message Integrity Uses a Hash

Function in Signing the Message
RSA Digital Signature Scheme
RSA Digital Signature and
the Message Digest
13. Summary
References

25.

Satellite Encryption

417
417
418
418
419
419
419
420
420

26.

420
421
421

27.
423


2.

Satellite Encryption Policy

425

3.

Implementing Satellite Encryption
General Satellite Encryption Issues
Uplink Encryption
Extraplanetary Link Encryption
Downlink Encryption

426
426
428
428
429
430

433

Terence Spies
1.
2.
3.
4.
5.


6.
7.
8.
9.

Cryptographic Background
Digital Signatures
Public Key Encryption
Overview of PKI
The X.509 Model
The History of X.509
The X.509 Certificate Model
X.509 Implementation Architectures
X.509 Certificate Validation
Validation Step 1: Construct the
Chain and Validate Signatures
Validation Step 2: Check Validity
Dates, Policy and Key Usage
Validation Step 3: Consult
Revocation Authorities
X.509 Certificate Revocation
Online Certificate Status Protocol
Server-based Certificate
Validity Protocol
X.509 Bridge Certification
Systems
Mesh PKIs and Bridge CAs
X.509 Certificate Format
X.509 V1 and V2 Format


17.

423

1. The Need for Satellite Encryption

Public Key Infrastructure

12.
13.
14.
15.
16.

420
420

Daniel S. Soper

4. The Future of Satellite Encryption

10.
11.

433
433
434
435
436
436

436
437
439
439
439
440
440
441
442
443
443
444
445

X.509 V3 Format
X.509 Certificate Extensions
Policy Extensions
Certificate Policy
PKI Policy Description
PKI Standards Organizations
IETF PKIX
SDSI/SPKI
IETF OpenPGP
PGP Certificate Formats
PGP PKI Implementations
W3C
Alternative PKI Architectures
Modified X.509 Architectures
Perlman and Kaufman’s User-Centric
PKI

Gutmann’s Plug and Play PKI
Callas’s Self-Assembling PKI
Alternative Key Management Models

Instant-Messaging Security

445
445
446
446
447
448
448
448
448
449
449
449
450
450
450
450
450
450

453

Samuel J. J. Curry
1. Why Should I Care About
Instant Messaging?

2. What is Instant Messaging?
3. The Evolution of Networking
Technologies
4. Game Theory and Instant Messaging
Your Workforce
Generational Gaps
Transactions
5. The Nature of the Threat
Malicious Threat
Vulnerabilities
Man-in-the-Middle Attacks
Phishing and Social Engineering
Knowledge Is the Commodity
Data and Traffic Analysis
Unintentional Threats
Regulatory Concerns
6. Common IM Applications
Consumer Instant Messaging
Enterprise Instant Messaging
Instant-Messaging Aggregators
Backdoors: Instant Messaging
Via Other Means (HTML)
Mobile Dimension
7. Defensive Strategies
8. Instant-messaging Security Maturity
and Solutions
Asset Management
Built-In Security
Content Filtering
Classic Security

Compliance
Data Loss Prevention
Logging
Archival

453
453
454
455
455
456
457
457
458
459
459
459
459
460
460
461
461
461
461
462
462
462
462
463
463

463
463
463
464
464
464
464


xv

Contents

9.

Processes
Instant-Messaging Activation
and Provisioning
Application Review
People
Revise
Audit
10. Conclusion
Example Answers to Key Factors

464

Approach for Obtaining Near
Well-Formed Privacy Policies
6. The Privacy Management Model

How Privacy Policies Are Used
Personal Privacy Policy Negotiation
Personal Privacy Policy Compliance
7. Discussion and Related Work
8. Conclusions and Future Work

464
464
464
464
464
465
466

30. Virtual Private Networks

NET Privacy

1. History
2. Who is in Charge?
3. VPN Types
IPsec
L2TP
L2TPv3
L2F
PPTP VPN
MPLS
MPVPN™
SSH
SSL-VPN

TLS
4. Authentication Methods
Hashing
HMAC
MD5
SHA-1
5. Symmetric Encryption
6. Asymmetric Cryptography
7. Edge Devices
8. Passwords
9. Hackers and Crackers

469

Marco Cremonini , Chiara Braghin and Claudio
Agostino Ardagna
1.
2.
3.

4.
5.

29.

Privacy in the Digital Society
The Origins, The Debate
Privacy Threats
The Economics of Privacy
The Value of Privacy

Privacy and Business
Privacy-Enhancing Technologies
Languages for Access Control
and Privacy Preferences
Data Privacy Protection
Privacy for Mobile Environments
Network Anonymity
Onion Routing
Anonymity Services
Conclusion

Personal Privacy Policies

469
469
471
474
474
475
476
476
478
480
482
483
484
485

487


Dr. George Yee and Larry Korba
1.
2.

3.

4.

5.

Introduction
Content of Personal Privacy Policies
Privacy Legislation and Directives
Requirements from Privacy Principles
Privacy Policy Specification
Semiautomated Derivation
of Personal Privacy Policies
An Example
Retrieval from a Community of Peers
Specifying Well-formed Personal
Privacy Policies
Unexpected Outcomes
Outcomes From the Way the
Matching Policy Was Obtained
Preventing Unexpected Negative
Outcomes
Definition 1
Definition 2
Rules for Specifying Near
Well-Formed Privacy Policies


507

Jim Harmening and Joe Wright

Part IV
Privacy and Access Management
28.

497
497
497
499
502
502
505

487
488
488
488
490
490
492
493
494
494
494
496
496

496
496

31.

Identity Theft

508
511
512
512
512
513
513
513
514
514
514
514
514
515
515
515
515
515
516
516
516
516
517


519

Markus Jacobsson and Alex Tsow
1.

Experimental Design
Authentic Payment Notification:
Plain Versus Fancy Layout
Strong Phishing Message: Plain
Versus Fancy Layout
Authentic Promotion: Effect of
Small Footers
Weak Phishing Message
Authentic Message
Login Page
Login Page: Strong and Weak
Content Alignment
Login Page: Authentic and Bogus
(But Plausible) URLs
Login Page: Hard and Soft
Emphasis on Security
Bad URL, with and without SSL
and Endorsement Logo
High-Profile Recall Notice

520
522
525
525

527
528
528
529
532
532
535
535


xvi

Contents

Low-Profile Class-Action Lawsuit
2. Results and Analysis
3. Implications for Crimeware
Example: Vulnerability of Web-Based
Update Mechanisms
Example: The Unsubscribe
Spam Attack
The Strong Narrative Attack
4. Conclusion

32. VoIP Security

535
535
546


11.

Management Access: Separation of
Functions
Limit Tool Access
Secure Management Interfaces
12. Host Access: Partitioning
S_ID Checking
13. Data Protection: Replicas
Erasure
Potential Vulnerabilities and Threats
Physical Attacks
Management Control Attacks
Host Attacks
World Wide Name Spoofing
Man-in-the-Middle Attacks
E-Port Replication Attack
Denial-of-Service Attacks
Session Hijacking Attacks
15. Encryption in Storage
The Process
Encryption Algorithms
Key Management
Configuration Management
16. Application of Encryption
Risk Assessment and Management
Modeling Threats
Use Cases for Protecting Data
at Rest
Use Considerations

Deployment Options
17. Conclusion
References

547
547
548
548

551

Dan Wing and Harsh Kupwade Patil
1.

Introduction
VoIP Basics
2. Overview of Threats
Taxonomy of Threats
Reconnaissance of VoIP Networks
Denial of Service
Loss of Privacy
Exploits
3. Security in VoIP
Preventative Measures
Reactive
4. Future Trends
Forking Problem in SIP
Security in Peer-to-Peer SIP
End-to-End Identity with SBCs
5. Conclusion


551
551
553
553
553
554
555
557
558
558
559
560
560
561
563
564

Part V
Storage Security
33.

SAN Security

34. Storage Area Networking
Devices Security
567

2.
3.

4.
5.
6.
7.
8.
9.
10.

Organizational Structure
AAA
Restricting Access to Storage
Access Control Lists (ACL)
and Policies
Data Integrity Field (DIF)
Physical Access
Change Management
Password Policies
Defense in Depth
Vendor Security Review
Data Classification
Security Management
Security Setup
Unused Capabilities
Auditing
Updates
Monitoring
Security Maintenance

1. What is a SAN?
2. SAN Deployment Justifications

3. The Critical Reasons for SAN Security
Why Is SAN Security Important?
4. SAN Architecture and Components
SAN Switches
5. SAN General Threats and Issues
SAN Cost: A Deterrent to Attackers
Physical Level Threats, Issues,
and Risk Mitigation
Logical Level Threats, Vulnerabilities,
and Risk Mitigation
6. Conclusion

567
568
569
570
570
571
571
571
571
571
571
572
572
572
572
572
572
572


581
582
582
588
589

591

Robert Rounsavall

John McGowan, Jeffrey Bardin and
John McDonald
1.

573
573
573
573
574
574
574
575
575
575
575
576
576
576
577

577
577
577
578
579
580
580
580
580

35.

Risk Management

591
591
592
592
593
593
594
594
594
596
603

605

Sokratis K. Katsikas
1. The Concept of Risk

2. Expressing and Measuring Risk
3. The Risk Management Methodology
Context Establishment

606
606
609
609


xvii

Contents

Risk Assessment
Risk Treatment
Risk Communication
Risk Monitoring and Review
Integrating Risk Management into the
System Development Life Cycle
Critique of Risk Management
as a Methodology
Risk Management Methods
4. Risk Management Laws and
Regulations
5. Risk Management Standards
6. Summary

610
612

614
614

4.

614
615
616
620
623
625

5.

38.

Physical Security Essentials

Homeland Security
1.

629

William Stallings
1.
2.

Overview
Physical Security Threats
Natural Disasters

Environmental Threats
Technical Threats
Human-Caused Physical Threats
3. Physical Security Prevention
and Mitigation Measures
Environmental Threats
Technical Threats
Human-Caused Physical Threats
4. Recovery from Physical Security
Breaches
5. Threat Assessment, Planning,
and Plan Implementation
Threat Assessment
Planning and Implementation
6. Example: A Corporate Physical
Security Policy
7. Integration of Physical and
Logical Security
References

37.

Biometrics

629
630
630
631
633
634


3.

Relevant Standards
Biometric System Architecture
Data Capture
Signal Processing
Matching
Data Storage
Decision
Adaptation
Using Biometric Systems
Enrollment

3.

636
636
636
637
637

645

Luther Martin
1.
2.

2.


634
634
635
635

639
643

646
647
648
648
649
649
649
652
652
652

653
654
655
655
656
656
657
658
659

661


Rahul Bhaskar Ph.D. and Bhushan Kapoor

Part VI
Physical Security
36.

Authentication
Identification
Security Considerations
Error Rates
Doddington’s Zoo
Birthday Attacks
Comparing Technologies
Storage of Templates
Conclusion

4.

39.

Statutory Authorities
The USA PATRIOT Act of 2001
(PL 107-56)
The Aviation and Transporation
Security Act of 2001 (PL 107-71)
Enhanced Border Security and
Visa Entry Reform Act of 2002
(PL 107-173)
Public Health Security, Bioterrorism

Preparedness & Response Act
of 2002 (PL 107-188)
Homeland Security Act of 2002
(PL 107-296)
E-Government Act of 2002
(PL 107-347)
Homeland Security Presidential
Directives
Organizational Actions
Department of Homeland
Security Subcomponents
State and Federal Organizations
The Governor’s Office of Homeland
Security
California Office of Information
Security and Privacy Protection
Private Sector Organizations
for Information Sharing
Conclusion

Information Warfare

661
661
663
663
664
665
666
667

669
669
669
670
670
670
674

677

Jan Eloff and Anna Granova
1.
2.
3.
4.
5.
6.

Information Warfare Model
Information Warfare Defined
IW: Myth or Reality?
Information Warfare: Making
IW Possible
Offensive Strategies
Preventative Strategies
Legal Aspects of IW
Terrorism and Sovereignty
Liability Under International Law
Remedies Under International Law
Developing Countries Response


677
678
678
680
680
685
686
686
686
687
689


xviii

Contents

7.
8.

Holistic View of Information
Warfare
Conclusion

689
690
3.

Part VII

Advanced Security
40.

Security Through Diversity

693

Kevin Noble
1. Ubiquity
2. Example Attacks Against Uniformity
3. Attacking Ubiquity With Antivirus Tools
4. The Threat of Worms
5. Automated Network Defense
6. Diversity and the Browser
7. Sandboxing and Virtualization
8. DNS Example of Diversity
through Security
9. Recovery from Disaster is Survival
10. Conclusion

41.

Reputation Management

693
694
694
695
697
698

698

42.

Content Filtering

701
7.
702
704
708
711
711
713
714
715
716
717
719
720
720
720

723

Peter Nicoletti
1. The Problem with Content
Filtering
2. User Categories, Motivations,
and Justifications

Schools
Commercial Business
Financial Organizations
Healthcare Organizations
Internet Service Providers

5.
6.

699
699
700

Dr. Jean-Marc Seigneur
1. The Human Notion of Reputation
2. Reputation Applied to the
Computing World
3. State of the Art of Attack-resistant
Reputation Computation
4. Overview of Current Online
Reputation Service
eBay
Opinity
Rapleaf
Venyo
TrustPlus ؉ Xing ؉ ZoomInfo ؉
SageFire
Naymz ϩ Trufina
The GORB
ReputationDefender

Summarizing Table
5. Conclusion

4.

723
724
725
725
725
725
725

U.S. Government
Other Governments
Libraries
Parents
Content Blocking Methods
Banned Word Lists
URL Block
Category Block
Bayesian Filters
Safe Search Integration to Search
Engines with Content Labeling
Content-Based Image Filtering
(CBIF)
Technology and Techniques for
Content-Filtering Control
Internet Gateway-Based Products/
Unified Threat Appliances

Categories
Legal Issues
Federal Law: ECPA
CIPA: The Children’s Internet
Protection Act
The Trump Card of Content
Filtering: The “National Security
Letter”
ISP Content Filtering Might Be
a “Five-Year Felony”
Issues and Problems with Content
Filtering
Bypass and Circumvention
Client-Based Proxies
Open Proxies
HTTP Web-Based Proxies
(Public and Private)
Secure Public Web-Based Proxies
Process Killing
Remote PC Control Applications
Overblocking and Underblocking
Blacklist and Whitelist
Determination
Casual Surfing Mistake
Getting the List Updated
Time-of-Day Policy Changing
Override Authorization Methods
Hide Content in “Noise” or Use
Steganography
Nonrepudiation: Smart Cards,

ID Cards for Access
Warn and Allow Methods
Integration with Spam Filtering tools
Detect Spyware and Malware
in the HTTP Payload
Integration with Directory Servers
Language Support
Financial Considerations Are
Important
Scalability and Usability
Performance Issues
Reporting Is a Critical Requirement
Bandwidth Usage

725
725
725
726
726
726
726
726
727
727
727
728
728
732
735
735

735
736
736
737
737
737
739
739
739
739
739
740
740
740
740
740
740
740
740
740
740
740
740
741
741
741
742
742
742



xix

Contents

Precision Percentage and Recall
9. Related Products
10. Conclusion

43.

Data Loss Protection

742
743
743

745

Ken Perkins
1. Precursors of DLP
2. What is DLP?
3. Where to Begin?
4. Data is Like Water
5. You Don’t Know What You
Don’t Know
Precision versus Recall
6. How Do DLP Applications Work?
7. Eat Your Vegetables
Data in Motion

Data at Rest
Data in Use
8. It’s a Family Affair, Not Just
it Security’s Problem
9. Vendors, Vendors Everywhere!
Who Do You Believe?
10. Conclusion

6.

Previous Logon Information
Configuration
Security Considerations

Appendix B

755
756
756
757
757
758
758
760
762
762

Appendix C

Configuring Authentication

Service on Microsoft
Windows Vista
765

John R. Vacca

2.

3.

4.

5.

Backup and Restore of Stored
Usernames and Passwords
Automation and Scripting
Security Considerations
Credential Security Service Provider
and SSO for Terminal Services Logon
Requirements
Configuration
Security Considerations
TLS/SSL Cryptographic
Enhancements
AES Cipher Suites
ECC Cipher Suites
Schannel CNG Provider Model
Default Cipher Suite Preference
Previous Cipher Suites

Kerberos Enhancements
AES
Read-Only Domain Controller
and Kerberos Authentication
Smart Card Authentication Changes
Additional Changes to Common
Smart Card Logon Scenarios

765
765
765
765
766
766
766
766
766
767
768
769
769
769
769
770
770
771

List of Top Security
Implementation and
Deployment Companies 777


List of SAN Implementation
and Deployment Companies
SAN Security Implementation
and Deployment Companies:

Appendix D

List of Security
Products

Security Software

Appendix E
Appendix F

1.

775

John R. Vacca
747
748
753
754

Part VIII
Appendices
Appendix A


Security Management
and Resiliency

773
774
774

778

781
781

List of Security
Standards

783

List of Miscellaneous
Security Resources

785

Conferences
Consumer Information
Directories
Help and Tutorials
Mailing Lists
News and Media
Organizations
Products and Tools

Research
Content Filtering Links
Other Logging Resources

Appendix G

778

Ensuring Built-in
Frequency Hopping
Spread Spectrum
Wireless Network
Security

Accomplishment
Background
Additional Information

Appendix H Configuring Wireless
Internet Security
Remote Access
Adding the Access Points as RADIUS
Clients to IAS
Adding Access Points to the first
IAS Server

785
785
786
786

786
787
787
788
790
791
791

793
793
793
793

795
795
795


xx

Contents

Scripting the Addition of Access Points to
IAS Server (Alternative Procedure)
Configuring the Wireless Access Points
Enabling Secure WLAN Authentication
on Access Points
Additional Settings to Secure
Wireless Access Points
Replicating RADIUS Client Configuration

to Other IAS Servers

Appendix I Frequently Asked
Questions

799

796

Appendix J

801

797

Index

795
796

798

Glossary

817


Foreword

The Computer and Information Security Handbook is an

essential reference guide for professionals in all realms
of computer security. Researchers in academia, industry,
and government as well as students of security will find
the Handbook helpful in expediting security research
efforts. The Handbook should become a part of every
corporate, government, and university library around the
world.
Dozens of experts from virtually every industry have
contributed to this book. The contributors are the leading
experts in computer security, privacy protection and management, and information assurance. They are individuals who will help others in their communities to address
the immediate as well as long-term challenges faced in
their respective computer security realms.
These important contributions make the Handbook
stand out among all other security reference guides. I
know and have worked with many of the contributors
and can testify to their experience, accomplishments, and
dedication to their fields of work.
John Vacca, the lead security consultant and managing
editor of the Handbook, has worked diligently to see that
this book is as comprehensive as possible. His knowledge, experience, and dedication have combined to create
a book of more than 1400 pages covering every important

aspect of computer security and the assurance of the confidentiality, integrity, and availability of information.
The depth of knowledge brought to the project by all
the contributors assures that this comprehensive handbook will serve as a professional reference and provide a
complete and concise view of computer security and privacy. The Handbook provides in-depth coverage of computer security theory, technology, and practice as it relates
to established technologies as well as recent advancements in technology. Above all, the Handbook explores
practical solutions to a wide range of security issues.
Another important characteristic of the Handbook is
that it is a vendor-edited volume with chapters written by

leading experts in industry and academia who do not support any specific vendor’s products or services. Although
there are many excellent computer security product and
service companies, these companies often focus on promoting their offerings as one-and-only, best-on-themarket solutions. Such bias can lead to narrow decision
making and product selection and thus was excluded
from the Handbook.
Michael Erbschloe
Michael Erbschloe teaches information security courses
at Webster University in St. Louis, Missouri.


This page intentionally left blank


Preface

This comprehensive handbook serves as a professional
reference to provide today’s most complete and concise
view of computer security and privacy available in one
volume. It offers in-depth coverage of computer security
theory, technology, and practice as they relate to established technologies as well as recent advancements. It
explores practical solutions to a wide range of security
issues. Individual chapters are authored by leading experts
in the field and address the immediate and long-term challenges in the authors’ respective areas of expertise.
The primary audience for this handbook consists of
researchers and practitioners in industry and academia as
well as security technologists and engineers working with
or interested in computer security. This comprehensive
reference will also be of value to students in upper-division undergraduate and graduate-level courses in computer security.

ORGANIZATION OF THIS BOOK

The book is organized into eight parts composed of 43
contributed chapters by leading experts in their fields, as
well as 10 appendices, including an extensive glossary
of computer security terms and acronyms.

Part 1: Overview of System and Network
Security: A Comprehensive Introduction
Part 1 discusses how to build a secure organization; generating cryptography; how to prevent system intrusions;
UNIX and Linux security; Internet and intranet security;
LAN security; wireless network security; cellular network security, and RFID security. For instance:
Chapter 1, “Building a Secure Organization,” sets the
stage for the rest of the book by presenting insight
into where to start building a secure organization.
Chapter 2, “A Cryptography Primer,” provides an overview of cryptography. It shows how communications
may be encrypted and transmitted.
Chapter 3, “Preventing System Intrusions,” discusses how
to prevent system intrusions and where an

unauthorized penetration of a computer in your enterprise or an address in your assigned domain can occur.
Chapter 4, “Guarding Against Network Intrusions,”
shows how to guard against network intrusions by
understanding the variety of attacks, from exploits to
malware and social engineering.
Chapter 5, “UNIX and Linux Security,” discusses how
to scan for vulnerabilities; reduce denial-of-service
(DoS) attacks; deploy firewalls to control network
traffic; and build network firewalls.
Chapter 6, “Eliminating the Security Weakness of Linux
and UNIX Operating Systems,” presents an introduction to securing UNIX in general and Linux in
particular, providing some historical context and

describing some fundamental aspects of the secure
operating system architecture.
Chapter 7, “Internet Security,” shows you how cryptography can be used to address some of the security
issues besetting communications protocols.
Chapter 8, “The Botnet Problem,” describes the botnet
threat and the countermeasures available to network
security professionals.
Chapter 9, “Intranet Security,” covers internal security
strategies and tactics; external security strategies and
tactics; network access security; and Kerberos.
Chapter 10, “Local Area Network Security,” discusses
network design and security deployment as well as
ongoing management and auditing.
Chapter 11, “Wireless Network Security,” presents an
overview of wireless network security technology;
how to design wireless network security and plan for
wireless network security; how to install, deploy, and
maintain wireless network security; information warfare countermeasures: the wireless network security
solution; and wireless network security solutions and
future directions.
Chapter 12, “Cellular Network Security,” addresses
the security of the cellular network; educates readers on the current state of security of the network
and its vulnerabilities; outlines the cellular network
specific attack taxonomy, also called three-dimensional attack taxonomy; discusses the vulnerability
assessment tools for cellular networks; and provides


xxiv

insights into why the network is so vulnerable and

why securing it can prevent communication outages
during emergencies.
Chapter 13, “RFID Security,” describes the RFID tags
and RFID reader and back-end database in detail.

Part 2: Managing Information Security
Part 2 discusses how to protect mission-critical systems;
deploy security management systems, IT security, ID
management, intrusion detection and prevention systems,
computer forensics, network forensics, firewalls, and penetration testing; and conduct vulnerability assessments.
For instance:
Chapter 14, “Information Security Essentials for IT
Managers: Protecting Mission-Critical Systems,”
discusses how security goes beyond technical
controls and encompasses people, technology, policy,
and operations in a way that few other business
objectives do.
Chapter 15, “Security Management Systems,” examines documentation requirements and maintaining
an effective security system as well as conducting
assessments.
Chapter 16, “Information Technology Security
Management,” discusses the processes that are supported with enabling organizational structure and
technology to protect an organization’s information
technology operations and IT assets against internal
and external threats, intentional or otherwise.
Chapter 17, “Identity Management,” presents the evolution of identity management requirements. It also
surveys how the most advanced identity management
technologies fulfill present-day requirements. It discusses how mobility can be achieved in the field of
identity management in an ambient intelligent/
ubiquitous computing world.

Chapter 18, “Intrusion Prevention and Detection
Systems,” discusses the nature of computer system
intrusions, the people who commit these attacks, and
the various technologies that can be utilized to detect
and prevent them.
Chapter 19, “Computer Forensics,” is intended to provide an in-depth familiarization with computer forensics as a career, a job, and a science. It will help you
avoid mistakes and find your way through the many
aspects of this diverse and rewarding field.
Chapter 20, “Network Forensics,” helps you
determine the path from a victimized network or

Preface

system through any intermediate systems and
communication pathways, back to the point of
attack origination or the person who should be
held accountable.
Chapter 21, “Firewalls,” provides an overview of
firewalls: policies, designs, features, and configurations. Of course, technology is always changing, and
network firewalls are no exception. However, the
intent of this chapter is to describe aspects of
network firewalls that tend to endure over time.
Chapter 22, “Penetration Testing,” describes how
testing differs from an actual “hacker attack” as well
as some of the ways penetration tests are conducted,
how they’re controlled, and what organizations might
look for when choosing a company to conduct a
penetration test for them.
Chapter 23, “What Is Vulnerability Assessment?”
covers the fundamentals: defining vulnerability,

exploit, threat, and risk; analyzing vulnerabilities and
exploits; and configuring scanners. It also shows you
how to generate reports, assess risks in a changing
environment, and manage vulnerabilities.

Part 3: Encryption Technology
Part 3 discusses how to implement data encryption, satellite encryption, public key infrastructure, and instantmessaging security. For instance:
Chapter 24, “Data Encryption,” is about the role played
by cryptographic technology in data security.
Chapter 25, “Satellite Encryption,” proposes a method
that enhances and complements satellite encryption’s role in securing the information society. It
also covers satellite encryption policy instruments;
implementing satellite encryption; misuse of satellite encryption technology; and results and future
directions.
Chapter 26, “Public Key Infrastructure,” explains the
cryptographic background that forms the foundation
of PKI systems; the mechanics of the X.509 PKI
system (as elaborated by the Internet Engineering
Task Force); the practical issues surrounding the
implementation of PKI systems; a number of alternative PKI standards; and alternative cryptographic
strategies for solving the problem of secure public
key distribution.
Chapter 27, “Instant-Messaging Security,” helps you
develop an IM security plan, keep it current, and
make sure it makes a difference.