Andress - The Basics of Information Security

1. Tables in Chapter 6

1. Figures in Chapter 1
2. Figures in Chapter 2
3. Figures in Chapter 3
4. Figures in Chapter 4
5. Figures in Chapter 5
6. Figures in Chapter 7
7. Figures in Chapter 9
8. Figures in Chapter 10
9. Figures in Chapter 11
10. Figures in Chapter 12

Second Edition

Jason Andress

Steven Winterfeld

Technical Editor

Acquiring Editor: Chris Katsaropoulos

Editorial Project Manager: Benjamin Rearick

Project Manager: Malathi Samayan

Designer: Matthew Limbert

Syngress is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, UK

First edition 2011

Copyright 2014 Elsevier Inc. All rights reserved

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notice

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described here in. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Andress, Jason.

The basics of information security : understanding the fundamentals of InfoSec in theory and practice/Jason Andress. Second edition.

pages cm

ISBN 978-0-12-800744-0 (paperback)

1. Computer security. 2. Computer networksSecurity measures. 3. Information resources management. I. Title.

QA76.9.A25A5453 2014

005.8--dc23

2014006770

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-800744-0

For information on all Syngress publications, visit our website at www.syngress.com

Printed and bound in the United States of America

14 15 16 17 18 10 9 8 7 6 5 4 3 2 1

Many thanks go to my family for persevering through yet another project. Additionally, thanks to Steve for being a good friend and doing a great job tech editing.

Dr. Jason Andress (ISSAP, CISSP, GPEN, CISM) is a seasoned security professional with a depth of experience in both the academic and business worlds. In his present and previous roles, he has provided information security expertise to a variety of companies operating globally. He has taught undergraduate and graduate security courses since 2005 and conducts research in the area of data protection. He has written several books and publications covering topics including data security, network security, penetration testing, and digital forensics.

Book overview and key learning points

Book audience

How this book is organized

The Basics of Information Security will provide the reader with a basic knowledge of information security in both theoretical and practical aspects. We will first cover the basic knowledge needed to understand the key concepts of information security, discussing many of the concepts that underpin the security world. We will then dive into practical applications of these ideas in the areas of operations, physical, network, operating system, and application security.

This book will provide a valuable resource to beginning security professionals, as well as to network and systems administrators. The information provided on can be used to develop a better understanding on how we protect our information assets and defend against attacks, as well as how to apply these concepts practically.

Those in management positions will find this information useful as well, from the standpoint of developing better overall security practices for their organizations. The concepts discussed in this book can be used to drive security projects and policies, in order to mitigate some of the issues discussed.

This book is designed to take the reader through a logical progression for a foundational understanding of information security and is best read in the order of the chapters from front to back. In the areas where we refer to information located in other chapters in the book, we have endeavored to point out where the information can be found. The following descriptions will provide an overview of the contents of each chapter.

In this chapter, we cover some of the most basic concepts of information security. Information security is vital in the era in which data regarding countless individuals and organizations is stored in a variety of computer systems, often not under our direct control. We talk about the diametrically opposing concepts of security and productivity the models that are helpful in discussing security concepts, such as the CIA triad and the Parkerian hexad, as well as the basic concepts of risk and controls to mitigate it. Lastly, we cover defense in depth and its place in the information security world.

In , we cover the security principles of identification and authentication. We discuss identification as being the process by which we assert the identity of a particular party, whether this is true or not. We talk about the use of authentication as the means of validating whether the claim of identity is true. Also covered are multifactor authentication and the use of biometrics and hardware tokens to enhance surety in the authentication process.

In this chapter, we discuss the use of authorization and access control. Authorization is the next step in the process that we work through in order to allow entities access to resources. We cover the various access control models that we use when putting together systems such as discretionary access control, mandatory access control, and role-based access control. We also talk about multilevel access control models, including Bell LaPadula, Biba, Clark-Wilson, and Brewer and Nash. In addition to the commonly discussed concepts of logical access control, we also go over some of the specialized applications that we might see when looking specifically at physical access control.