Complete Guide to Internet Security

THE COMPLETE GUIDE TO INTERNET SECURITY
by Mark S. Merkow, CCP and James Breithaupt

“What stands between your organization's computer systems and all the security
threats that lurk out there-or within your own walls? The first line of defense is
security awareness. The second is technological know-how. This authoritative
book is your vital guide to both aspects of Internet security, written by "infosec"
professionals for two of America's most prominent corporations.

“Practical and readable, it consolidates and distills into one convenient volume a
vast amount of security information on:
- Inherent vulnerabilities of Internet-attached networks
- Weaknesses of e-commerce sites
- Common hacker tools
- Insider attacks
- Physical and logical system security, including firewalls, routers, proxies,
access controls, intrusion detection, and policy-based networking
- Commercial security software
- Security settings for servers, user desktops, and database management
- Cryptography, and much more.”

====================================

“So you think your organization has taken every possible computer security
precaution? Despite your efforts, catastrophe may strike at any moment. Security
problems are rampant, given the interconnectedness of today's computer systems.
Whether working from within or without, at random or with malicious intent,
hackers can wreak havoc on your business within seconds. Your systems are also
easy prey for corporate espionage, internal negligence, technological accidents,
and other potential disasters. The resulting damage can run to millions of dollars,
even billions for e-vendors, in lost revenues and recovery expenses.

“This comprehensive book is your one-stop guide to Internet security. Designed for
all information technology professionals-CIOs, security administrators and
auditors, network architects, systems analysts, and programmers-it shows how to
analyze your company's systems in terms of potential security risks. Then it
explains how to design and implement a well-thought-out security plan that covers
every aspect of your technology needs.

“You'll begin by reviewing the fundamentals. The authors emphasize the need for a
complete corporate security policy that encompasses every part of the
organization where data is created, modified, stored, processed, or exchanged.
You'll also look inside a hacker's toolbox and test your own knowledge of the
potential hazards out there.

“Paying special attention to Internet-attached networks and e-commerce systems,
the authors help you determine if your organization's current efforts are meeting
industry standards. They include a sample Internet security policy that your
organization can adapt for your own use.

“Next, you'll learn to launch or enhance an effective defense. The authors reveal
how to address the problems inherent in the testing of security products and take
you deeper into first-line security technologies including routers, firewalls, and
intrusion detection systems. Of special interest is a close examination of the
newest framework for security threats - the Common Vulnerabilities and Exposures
(CVE) initiative.

“On the physical side of security, the book explores such essentials as access
controls, system monitoring, passwords, and the use of commercial software to
protect information resources. Following a proven model, you'll proceed step by
step toward a layered approach that protects your intranet and extranets, and
secures all online transactions for your customers.

“Are cryptosystems the solution to your e-security needs? You'll be able to
determine for yourself how much security is enough after a thorough investigation
of transport layer cryptography, digital signatures, private keys, smart cards, and
biometrics.

“In short, The Complete Guide to Internet Security explains everything you need to
know about big picture security for your organization, without getting into
micro-level details of implementation. Use it to focus your search for appropriate
solutions to your security concerns-and to sleep better at night.”

====================================

CONTENTS

ACKNOWLEDGMENTS

1. BUILDING A FOUNDATION FOR INFORMATION SECURITY
Information Security in Context
A Security Policy That Sets the Stage for Success
The Four Types of Policies
Useful Hints for Policy Creation
An Executive's Guide to the Protection of Information Resources
The Program Elements of Information Protection
Implementation of the Information Protection Program
Summary

2. THE FUNDAMENTAL ELEMENTS OF SECURITY
No Single Solution but Planning
The New Need for Security
Principles for Building a Security Culture
Rolling Your Own Policies
An Ounce of Prevention Is Worth a Pound of Security

3. VULNERABILITIES TO INTERNET-ATTACHED NETWORKS
A Brief History of the Internet
The Vulnerabilities of Communications
Early Recommendations for New and Existing Internet Connections

4. HACKING ISN'T BEYOND THE CORPORATE PERIMETER
Uncertainty: The Worst of the Problems
The Role of Laziness and Incompetence
Basic Threats
Types of Hackers
Types of Hacking

5. PEEKING INSIDE A HACKER'S TOOLBOX
SATAN
Hacking Your Way through the Internet
Popular Hacking Tools
Testing Your Hacking IQ So What Can You Do to Save Yourself?

6. INSTRUMENTAL EFFECTS FOR SECURITY ASSURANCE
The Common Criteria (CC) for Information Technology Security Evaluation
The Conundrum of Security Testing
The National Information Assurance Partnership (NIAP)
The Common Evaluation Methodology (CEM)
NIAP Activities

7. SECURITY TECHNOLOGIES
Routers
Firewalls
Intrusion Detection Systems (IDSs)
Building Confidence with a Layered Approach to Security
CVE: A Common Framework for Computer Security Threats

8. PHYSICAL SECURITY CONTROL
Aspects of Physical Security

9. LOGICAL ACCESS CONTROL
Dimensions of Logical Access Control
Web Server Security
Logical Access Control Methods
Logical Access Control through Network Design
More Settings at the Server
Protect Yourself from Yourself

10. APPLICATION LAYER SECURITY
Intranets and Extranets
How Much E-Commerce Security Is Enough?
Secure Electronic Transaction (SET)
The Corporate Purchasing Landscape
Open Buying on the Internet

11. AN INTRODUCTION TO CRYPTOGRAPHY
Basic Terms and Concepts
Cryptosystems as the Answer to the Needs of Today's E-Commerce

12. TRANSPORT LAYER CRYPTOGRAPHY
The SSL Protocol
Virtual Private Networks
The Future of Network Transport

13. DIGITAL SIGNATURES AND PPK CRYPTOGRAPHY
Digital Certificates
Building an Infrastructure for the Use of Digital Certificates
Protecting Private Keys
Certificate Practice Statements
Developing a PKI

14. KEY MANAGEMENT CONSIDERATIONS
Principles of Secure Cryptosystems
What Threatens Cryptographic Systems?
Security Requirements for Cryptomodules
Choosing Hardware- or Software-Based Cryptomodules
The Layers of Cryptography
Hardware Assisted Cryptography

15. MULTIFACTOR ACCESS CONTROLS USING CRYPTOGRAPHY
SmartCards
Biometrics

16. MINDING THE STORE FOR THE LONG RUN
Government Resources
Reporting Internet-Related Crime
Security Vulnerability Scanning
Reinforcing Network Security Responsibilities
Conclusion

APPENDIX A. A SAMPLE INTERNET SECURITY POLICY
APPENDIX B. INTERNET BOOKMARKS TO SECURITY-RELATED SITES
APPENDIX C. SECURITY AND SECURITY-TESTING SPECIALISTS
APPENDIX D. SUGGESTED READINGS
APPENDIX E. GLOSSARY OF TERMS

Index

====================================

ABOUT THE AUTHORS

“MARK S. MERKOW, CCP, is the author of 4 previous computer books, including
Virtual Private Networks for Dummies, as well as dozens of articles in trade
journals and e-zines such as E-Commerce Outlook. He is an e-commerce security
officer in the information systems division of a major global financial services
company. Mr. Merkow lives in Tempe, Arizona.

“JAMES BREITHAUPT is coauthor (with Mark Merkow) of Building SET
Applications for Secure Transactions. Currently a project manager for a premier
U.S. brokerage firm with a top-rated online presence, he has extensive consulting
experience in the financial services industry. Mr. Breithaupt also teaches writing
and literature courses at community colleges in his home city of Phoenix.”

====================================

2000, 356 pages. Order #DR514.

The Disaster Center Bookstore

Info, Network Security, Info Protection

Disaster Center Bookstore-a service of Rothstein Associates