文档详细内容(约176页)
THE BASI CS SS389NAS THE BASICS OF INFORMATION SECURITY Understanding the Fundamentals of InfoSec in Theory and Practice Jason Andress
Contents ABOUT THE AUTHOR .ix ABOUT THE TECHNICAL EDITOR ”划 FOREWORD. INTRODUCTION. CHAPTER 1 What Is Information Security? CHAPTER 2 Identification and Authentication. 17 CHAPTER 3 Authorization and Access Control .33 CHAPTER 4 Auditing and Accountability. CHAPTER 5 Cryptography. .63 CHAPTER 6 Operations Security . CHAPTER 7 Physical Security. .97 CHAPTER 8 Network Security. 115 CHAPTER 9 Operating System Security .131 CHAPTER 10 Application Security. 147 INDEX 167
vii ABOUT THE AUTHOR �������������������������������������������������������������������������������ix ABOUT THE TECHNICAL EDITOR ��������������������������������������������������������������xi FOREWORD������������������������������������������������������������������������������������������� xiii INTRODUCTION �������������������������������������������������������������������������������������� xv CHAPTER 1 What Is Information Security? ��������������������������������������������1 CHAPTER 2 Identification and Authentication��������������������������������������17 CHAPTER 3 Authorization and Access Control�������������������������������������33 CHAPTER 4 Auditing and Accountability����������������������������������������������51 CHAPTER 5 Cryptography �������������������������������������������������������������������63 CHAPTER 6 Operations Security ���������������������������������������������������������81 CHAPTER 7 Physical Security �������������������������������������������������������������97 CHAPTER 8 Network Security �����������������������������������������������������������115 CHAPTER 9 Operating System Security ���������������������������������������������131 CHAPTER 10 Application Security�������������������������������������������������������147 INDEX��������������������������������������������������������������������������������������������������167 Contents
About the Author ix Jason Andress(ISSAP,CISSP,GPEN,CEH)is a seasoned security professional with a depth of experience in both the academic and business worlds.He is presently employed by a major software company,providing global informa- tection.He has authored several publications and books,writing on topics including data security,network security,penetration testing,and digital forensics
ix Jason Andress (ISSAP, CISSP, GPEN, CEH) is a seasoned security professional with a depth of experience in both the academic and business worlds. He is presently employed by a major software company, providing global information security oversight, and performing penetration testing, risk assessment, and compliance functions to ensure that the company’s assets are protected. Jason has taught undergraduate and graduate security courses since 2005 and holds a doctorate in computer science, researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing, and digital forensics. About the Author
About the Technical Editor ogers (CISSP CISM,IAM,IEM,HonScD),author of the popular Hack ork(Syngress,ISBN1-):cauthor of multiple other books including the best-selling Stealing the Network:How to Own a Continent (Syngress,ISBN 1-931836-05-1),Network Security Evaluation Using the NSA IEM (Syngress,1-597490-35-0),and former editor-in-chief of The Security Journal;is currently a penetration tester for a federal agency and the cofounder and chief executive officer of Peak Security,Inc.,a veteran-owned small business based in Colorado Springs,CO.He has been involved in information technology since 1980 and has ent the last 20 vears wo orking professionally as both an Ir and INFOSEC He has worked with thenited States ir F Force (USAF) Nat nal Se ecurity Agency (NSA)Defense Information Systems Agency(DISA), and other federal agencies.He is a globally renowned security expert,speaker and author who has presented at conferences around the world including Amsterdam,Tokyo,Singapore,Sao Paulo,Abu Dhabi,and cities all over the United States. Russ has an honorary doctorate of science in information technology from the sity of Advancings degree in cor ivers n systems from the Un nd,and an as degree in applied communications technology from the Community College of the Air Force.He is currently pursuing a bachelor of science in electri- cal engineering from the University of Colorado at Colorado Springs.He is a member of ISSA and ISC2 (CISSP).He also teaches at and fills the role of pro- fessor of network security for the University of Advancing Technology (http:// www.uat.edu). Russ would like to thank his children,his father,and Tracie for being so sup- McOmie,Curtis Letson,and Eddie Mize
xi Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the popular Hacking a Terror Network (Syngress, ISBN 1-928994-98-9); coauthor of multiple other books including the best-selling Stealing the Network: How to Own a Continent (Syngress, ISBN 1-931836-05-1), Network Security Evaluation Using the NSA IEM (Syngress, 1-597490-35-0), and former editor-in-chief of The Security Journal; is currently a penetration tester for a federal agency and the cofounder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. He has been involved in information technology since 1980 and has spent the last 20 years working professionally as both an IT and INFOSEC consultant. He has worked with the United States Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world including Amsterdam, Tokyo, Singapore, Sao Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master’s degree in computer systems management from the University of Maryland, a bachelor of science in computer information systems from the University of Maryland, and an associate degree in applied communications technology from the Community College of the Air Force. He is currently pursuing a bachelor of science in electrical engineering from the University of Colorado at Colorado Springs. He is a member of ISSA and ISC2 (CISSP). He also teaches at and fills the role of professor of network security for the University of Advancing Technology (http:// www.uat.edu). Russ would like to thank his children, his father, and Tracie for being so supportive over the years. Thanks and shout-outs go out to Chris Hurley, Mark Carey, Rob Bathurst, Pushpin, Paul Criscuolo, Ping Look, Greg Miles, Ryan Clarke, Luke McOmie, Curtis Letson, and Eddie Mize. About the Technical Editor
Foreword xili Boring,boring,boring Isn't this what immediately comes to mind when one sees books on foundational cor ncepts of information security?Monotonous coverage of theory.dry details of history,brief yet inadequate coverage of every topic known to man,even though you know that you'll never be hired by the NSA as a cryptographer.All you really want is a book that makes you fall asleep every 30 minutes instead of every five.It's all the "necessary evil"that must be endured,right?Not this time,my budding security professional. So let's be honest.You actually do have a strong interest in making security a career and not just a hobby.Why else would you have this book in our hand? But like many of you,I didn't know (and some )what wanted to b e when I grew up.So why this book?Wha t's so great about anothe the bahe rom When my son was 4,I took him to the park down the road from our house. There were kids playing baseball,others chasing their friends through the plas- tic and metal jungle,and even a few climbing the fake rock-climbing wall. Then he saw the boys at the skateboard park.He had a board of his o own but r knew some uld do that! of urse,he wa ted to it immedi- ately.As a respon im launch hi self the top of a 6-fo oot ramp only to end up unconscious waitin to be run ove r by the nex prepubescent wannabe Tony Hawk.But what I could do is require him to show me that he could do something basic like stand on the board and ride it all the way down the driveway at home.As a reward,he could go to the skate park Once there,he didn't feel quite as comfortable as when on the driveway,so he rode down the ramp while sitting.Eventually,he dictated his own path;he set his own goals;he ontrolled the time it took to get where he wanted to be. His path was different fro never went to the park many of少ers at the park野,But imaginef out if he ony sawa b ng t ed an home runs?What if he didn't even get to see the skate park,much less the kids airing the gap?Knowing what is possible can drastically change one's des- tiny.And so it is with a profession in security. Simply wanting a career in information security is not specific enough to con- vey all the possible job descriptions in an industry that now touches every other.What Dr.Andress has do in addition to giving solid foundat is make e you neurons spark.It's th spark e“int ded°co sequence eof giving career advice.How does he do this?Instea of ju st stic ing to the tried and true classroom tactics of presenting the information and requiring rote memorization,he cleverly intermixes hacking,forensics,and
xiii Foreword Boring, boring, boring. Isn’t this what immediately comes to mind when one sees books on foundational concepts of information security? Monotonous coverage of theory, dry details of history, brief yet inadequate coverage of every topic known to man, even though you know that you’ll never be hired by the NSA as a cryptographer. All you really want is a book that makes you fall asleep every 30minutes instead of every five. It’s all the “necessary evil” that must be endured, right? Not this time, my budding security professional. So let’s be honest. You actually do have a strong interest in making security a career and not just a hobby. Why else would you have this book in your hand? But like many of you, I didn’t know (and sometimes still wonder to this day) what I wanted to be when I grew up. So why this book? What’s so great about another extensive volume on information security? How does it help me not only to learn the basics but also to push my career aspirations in the right direction? When my son was 4, I took him to the park down the road from our house. There were kids playing baseball, others chasing their friends through the plastic and metal jungle, and even a few climbing the fake rock-climbing wall. Then he saw the boys at the skateboard park. He had a board of his own but never knew someone could do that! Of course, he wanted to try it immediately. As a responsible Dad, I couldn’t let him launch himself off the top of a 6-foot ramp only to end up unconscious waiting to be run over by the next prepubescent wannabe Tony Hawk. But what I could do is require him to show me that he could do something basic like stand on the board and ride it all the way down the driveway at home. As a reward, he could go to the skate park. Once there, he didn’t feel quite as comfortable as when on the driveway, so he rode down the ramp while sitting. Eventually, he dictated his own path; he set his own goals; he controlled the time it took to get where he wanted to be. His path was different from many others at the park that day. But imagine if we never went to the park. How about if he only saw a baseball being tossed and no home runs? What if he didn’t even get to see the skate park, much less the kids airing the gap? Knowing what is possible can drastically change one’s destiny. And so it is with a profession in security. Simply wanting a career in information security is not specific enough to convey all the possible job descriptions in an industry that now touches every other. What Dr. Andress has done, in addition to giving a solid foundation, is make your neurons spark. It’s those sparks that have the “intended” consequence of giving career advice. How does he do this? Instead of just sticking to the tried and true classroom tactics of presenting the information and requiring rote memorization, he cleverly intermixes hacking, forensics, and
