Fundamentals of Information Systems Security 4th Edition by David Kim, ISBN-13: 978-1284220735

Description

Trustpilot

Fundamentals of Information Systems Security 4th Edition by David Kim, ISBN-13: 978-1284220735

[PDF eBook eTextbook] – Available Instantly

• Publisher: ‎ Jones & Bartlett Learning; 4th edition (December 24, 2021)
• Language: ‎ English
• ISBN-10: ‎ 1284220737
• ISBN-13: ‎ 978-1284220735

Revised and updated with the latest trends and information in the field, Fundamentals of Information Systems Security, Fourth Edition provides a comprehensive overview of the concepts readers must know as they pursue careers in information systems security. The text opens with a discussion of emerging technologies and the risks, threats, and vulnerabilities associated with our digital world. Part II takes a deeper dive into the foundational knowledge areas and functions associated with a career in information security. The book closes with a survey of information security standards, professional certifications, and compliance laws. With its practical, conversational writing style and step-by-step examples, this text is a must-have resource for those entering the world of information systems security.

Table of Contents:

Cover

Title Page

Copyright Page

Dedication Page

Contents

Preface

New to This Edition

Acknowledgments

The Authors

CHAPTER 1 Information Systems Security

Information Systems Security

Risks, Threats, and Vulnerabilities

What Is Information Systems Security?

Compliance Laws and Regulations Drive the Need for Information Systems Security

Tenets of Information Systems Security

Confidentiality

Integrity

Availability

The Seven Domains of a Typical IT Infrastructure

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

Weakest Link in the Security of an IT Infrastructure

Ethics and the Internet

IT Security Policy Framework

Definitions

Foundational IT Security Policies

Data Classification Standards

Chapter Summary

Key Concepts and Terms

Chapter 1 Assessment

CHAPTER 2 Emerging Technologies Are Changing How We Live

Evolution of the Internet of Things

Converting to a Tcp/Ip World

IoT’s Impact on Human and Business Life

How People Like to Communicate

IoT Applications That Impact Our Lives

Evolution from Brick and Mortar to E-Commerce

Why Businesses Must Have an Internet and IoT Marketing Strategy

IP Mobility

Mobile Users and Bring Your Own Device

Mobile Applications

IP Mobile Communications

New Challenges Created by the IoT

Security

Privacy

Interoperability and Standards

Legal and Regulatory Issues

E-Commerce and Economic Development Issues

Chapter Summary

Key Concepts and Terms

Chapter 2 Assessment

CHAPTER 3 Risks, Threats, and Vulnerabilities

Risk Management and Information Security

Risk Terminology

Elements of Risk

Purpose of Risk Management

The Risk Management Process

Identify Risks

Assess and Prioritize Risks

Plan a Risk Response Strategy

Implement the Risk Response Plan

Monitor and Control Risk Response

IT and Network Infrastructure

Intellectual Property

Finances and Financial Data

Service Availability and Productivity

Reputation

Who Are the Perpetrators?

Risks, Threats, and Vulnerabilities in an IT Infrastructure

Threat Targets

Threat Types

What Is a Malicious Attack?

Birthday Attacks

Brute-Force Password Attacks

Credential Harvesting and Stuffing

Dictionary Password Attacks

IP Address Spoofing

Hijacking

Replay Attacks

Man-in-the-Middle Attacks

Masquerading

Eavesdropping

Social Engineering

Phreaking

Phishing

Pharming

What Are Common Attack Vectors?

Social Engineering Attacks

Wireless Network Attacks

Web Application Attacks

The Importance of Countermeasures

Chapter Summary

Key Concepts and Terms

Chapter 3 Assessment

CHAPTER 4 Business Drivers of Information Security

Risk Management’s Importance to the Organization

Understanding the Relationship between a BIA, a BCP, and a DRP

Business Impact Analysis (BIA)

Business Continuity Plan (BCP)

Disaster Recovery Plan (DRP)

Assessing Risks, Threats, and Vulnerabilities

Closing the Information Security Gap

Adhering to Compliance Laws

Keeping Private Data Confidential

Mobile Workers and Use of Personally Owned Devices

BYOD Concerns

Endpoint and Device Security

Chapter Summary

Key Concepts and Terms

Chapter 4 Assessment

CHAPTER 5 Networks and Telecommunications

The Open Systems Interconnection Reference Model

The Main Types of Networks

Wide Area Networks

Local Area Networks

TCP/IP and How It Works

TCP/IP Overview

IP Addressing

Common Ports

Common Protocols

Internet Control Message Protocol

Network Security Risks

Categories of Risk

Basic Network Security Defense Tools

Firewalls

Virtual Private Networks and Remote Access

Network Access Control

Voice and Video in an IP Network

Wireless Networks

Wireless Access Points

Wireless Network Security Controls

Chapter Summary

Key Concepts and Terms

Chapter 5 Assessment

CHAPTER 6 Access Controls

Four-Part Access Control

Two Types of Access Controls

Physical Access Control

Logical Access Control

Authorization Policies

Methods and Guidelines for Identification

Identification Methods

Identification Guidelines

Processes and Requirements for Authentication

Authentication Types

Single Sign-On

Policies and Procedures for Accountability

Log Files

Monitoring and Reviewing

Data Retention, Media Disposal, and Compliance Requirements

Formal Models of Access Control

Discretionary Access Control

Operating Systems–Based DAC

Mandatory Access Control

Nondiscretionary Access Control

Rule-Based Access Control

Access Control Lists

Role-Based Access Control

Content-Dependent Access Control

Constrained User Interface

Other Access Control Models

Effects of Breaches in Access Control

Threats to Access Controls

Effects of Access Control Violations

Credential and Permissions Management

Centralized and Decentralized Access Control

Types of AAA Servers

Decentralized Access Control

Privacy

Chapter Summary

Key Concepts and Terms

Chapter 6 Assessment

CHAPTER 7 Cryptography

What Is Cryptography?

Basic Cryptographic Principles

A Brief History of Cryptography

Cryptography’s Role in Information Security

Business and Security Requirements for Cryptography

Internal Security

Security in Business Relationships

Security Measures That Benefit Everyone

Cryptographic Principles, Concepts, and Terminology

Cryptographic Functions and Ciphers

Types of Ciphers

Transposition Ciphers

Substitution Ciphers

Product and Exponentiation Ciphers

Symmetric and Asymmetric Key Cryptography

Symmetric Key Ciphers

Asymmetric Key Ciphers

Cryptanalysis and Public Versus Private Keys

Keys, Keyspace, and Key Management

Cryptographic Keys and Keyspace

Key Management

Key Distribution

Key Distribution Centers

Digital Signatures and Hash Functions

Hash Functions

Digital Signatures

Cryptographic Applications and Uses in Information System Security

Other Cryptographic Tools and Resources

Symmetric Key Standards

Asymmetric Key Solutions

Hash Function and Integrity

Digital Signatures and Nonrepudiation

Principles of Certificates and Key Management

Modern Key Management Techniques

Chapter Summary

Key Concepts and Terms

Chapter 7 Assessment

CHAPTER 8 Malicious Software and Attack Vectors

Characteristics, Architecture, and Operations of Malicious Software

The Main Types of Malware

Viruses

Spam

Worms

Trojan Horses

Logic Bombs

Active Content Vulnerabilities

Malicious Add-Ons

Injection

Botnets

Denial of Service Attacks

Spyware

Adware

Phishing

Keystroke Loggers

Hoaxes and Myths

Homepage Hijacking

Webpage Defacements

A Brief History of Malicious Code Threats

1970s and Early 1980s: Academic Research and UNIX

1980s: Early PC Viruses

1990s: Early LAN Viruses

Mid-1990s: Smart Applications and the Internet

2000 to the Present

Threats to Business Organizations

Types of Threats

Internal Threats from Employees

Anatomy of an Attack

What Motivates Attackers?

The Purpose of an Attack

Types of Attacks

Phases of an Attack

Attack Prevention Tools and Techniques

Application Defenses

Operating System Defenses

Network Infrastructure Defenses

Safe Recovery Techniques and Practices

Implementing Effective Software Best Practices

Intrusion Detection Tools and Techniques

Antivirus Scanning Software

Network Monitors and Analyzers

Content/Context Filtering and Logging Software

Honeypots and Honeynets

Chapter Summary

Key Concepts and Terms

Chapter 8 Assessment

CHAPTER 9 Security Operations and Administration

Security Administration

Controlling Access

Documentation, Procedures, and Guidelines

Disaster Assessment and Recovery

Security Outsourcing

Compliance

Event Logs

Compliance Liaison

Remediation

Professional Ethics

Common Fallacies About Ethics

Codes of Ethics

Personnel Security Principles

The Infrastructure for an IT Security Policy

Policies

Standards

Procedures

Baselines

Guidelines

Data Classification Standards

Information Classification Objectives

Examples of Classification

Classification Procedures

Assurance

Configuration Management

Hardware Inventory and Configuration Chart

The Change Management Process

Change Control Management

Change Control Committees

Change Control Procedures

Change Control Issues

Application Software Security

The System Life Cycle

Testing Application Software

Software Development and Security

Software Development Models

Chapter Summary

Key Concepts and Terms

Chapter 9 Assessment

CHAPTER 10 Auditing, Testing, and Monitoring

Security Auditing and Analysis

Security Controls Address Risk

Determining What Is Acceptable

Permission Levels

Areas of Security Audits

Purpose of Audits

Customer Confidence

Defining the Audit Plan

Defining the Scope of the Plan

Auditing Benchmarks

Audit Data Collection Methods

Areas of Security Audits

Control Checks and Identity Management

Post-Audit Activities

Exit Interview

Data Analysis

Generation of Audit Report

Presentation of Findings

Security Monitoring

Security Monitoring for Computer Systems

Monitoring Issues

Logging Anomalies

Log Management

Types of Log Information to Capture

How to Verify Security Controls

Intrusion Detection System

Analysis Methods

HIDS

Layered Defense: Network Access Control

Control Checks: Intrusion Detection

Host Isolation

System Hardening

Monitoring and Testing Security Systems

Monitoring

Testing

Chapter Summary

Key Concepts and Terms

Chapter 10 Assessment

CHAPTER 11 Contingency Planning

Business Continuity Management

Emerging Threats

Static Environments

Terminology

Assessing Maximum Tolerable Downtime

Business Impact Analysis

Plan Review

Testing the Plan

Backing Up Data and Applications

Types of Backups

Incident Handling

Preparation

Identification

Notification

Response

Recovery

Follow-Up

Documentation and Reporting

Recovery from a Disaster

Activating the Disaster Recovery Plan

Operating in a Reduced/Modified Environment

Restoring Damaged Systems

Disaster Recovery Issues

Recovery Alternatives

Interim or Alternate Processing Strategies

Chapter Summary

Key Concepts and Terms

Chapter 11 Assessment

CHAPTER 12 Digital Forensics

Introduction to Digital Forensics

Understanding Digital Forensics

Knowledge That Is Needed for Forensic Analysis

Overview of Computer Crime

Types of Computer Crime

The Impact of Computer Crime on Forensics

Forensic Methods and Labs

Forensic Methodologies

Setting Up a Forensic Lab

Collecting, Seizing, and Protecting Evidence

The Importance of Proper Evidence Handling

Imaging Original Evidence

Recovering Data

Undeleting Data

Recovering Data from Damaged Media

Operating System Forensics

Internals and Storage

Command-Line Interface and Scripting

Mobile Forensics

Mobile Device Evidence

Seizing Evidence from a Mobile Device

Chapter Summary

Key Concepts and Terms

Chapter 12 Assessment

CHAPTER 13 Information Security Standards

Standards Organizations

National Institute of Standards and Technology

International Organization for Standardization

International Electrotechnical Commission

World Wide Web Consortium

Internet Engineering Task Force

Institute of Electrical and Electronics Engineers

International Telecommunication Union Telecommunication Sector

American National Standards Institute

European Telecommunications Standards Institute Cyber Security Technical Committee

ISO 17799 (Withdrawn)

ISO/IEC 27002

Payment Card Industry Data Security Standard

Chapter Summary

Key Concepts and Terms

Chapter 13 Assessment

CHAPTER 14 Information Security Certifications

U.S. Department of Defense/Military Directive 8570.01

U.S. DoD/Military Directive 8140

U.S. DoD Training Framework

Vendor-Neutral Professional Certifications

International Information Systems Security Certification Consortium, Inc.

Global Information Assurance Certification/SANS Institute

Certified Internet Web Professional

CompTIA

ISACA®

Other Information Systems Security Certifications

Vendor-Specific Professional Certifications

Cisco Systems

Juniper Networks

RSA

Symantec

Check Point

Chapter Summary

Key Concepts and Terms

Chapter 14 Assessment

CHAPTER 15 Compliance Laws

Compliance Is the Law

Federal Information Security

The Federal Information Security Management Act of 2002

The Federal Information Security Modernization Act of 2014

The Role of the National Institute of Standards and Technology

National Security Systems

The Health Insurance Portability and Accountability Act (HIPAA)

Purpose and Scope

Main Requirements of the HIPAA Privacy Rule

Main Requirements of the HIPAA Security Rule

Oversight

Omnibus Regulations

The Gramm-Leach-Bliley Act

Purpose and Scope

Main Requirements of the GLBA Privacy Rule

Main Requirements of the GLBA Safeguards Rule

Oversight

The Sarbanes-Oxley Act

Purpose and Scope

SOX Control Certification Requirements

SOX Records Retention Requirements

Oversight

The Family Educational Rights and Privacy Act

Purpose and Scope

Main Requirements

Oversight

The Children’s Online Privacy Protection Act of 1998

The Children’s Internet Protection Act

Purpose and Scope

Main Requirements

Oversight

Payment Card Industry Data Security Standard

Purpose and Scope

Self-Assessment Questionnaire

General Data Protection Regulation

California Consumer Privacy Act

Making Sense of Laws for Information Security Compliance

Chapter Summary

Key Concepts and Terms

Chapter 15 Assessment

APPENDIX A Answer Key

APPENDIX B Standard Acronyms

APPENDIX C Earning the CompTIA Security+ Certification

Glossary of Key Terms

References

Index

David Kim is the president of Security Evolutions, Inc. (SEI; www.security-evolutions.com), located outside the Washington, DC, metropolitan area. SEI provides governance, risk, and compliance consulting services for public and private sector clients globally. SEI’s clients include healthcare institutions, banking institutions, governments, and international airports. SEI’s IT security consulting services include security risk assessments, vulnerability assessments, compliance audits, and designing of layered security solutions for enterprises. In addition, available services include developing business continuity and disaster recovery plans. Mr. Kim’s IT and IT security experience encompasses more than 30+ years of technical engineering, technical management, and sales and marketing management. This experience includes LAN/WAN, internetworking, enterprise network management, and IT security for voice, video, and data networking infrastructures. He is an accomplished author and part-time adjunct professor who enjoys teaching cybersecurity to students across the United States.

Michael G. Solomon, PhD, CISSP, PMP, CISM, CySA+, Pentest+, is an author, educator, and consultant focusing on privacy, security, blockchain, and identity management. As an IT professional and consultant since 1987, Dr. Solomon has led project teams for many Fortune 500 companies and has authored and contributed to more than 30 books and numerous training courses. Dr. Solomon is a Professor of Computer and Information Sciences at the University of the Cumberlands and holds a Ph.D. in Computer Science and Informatics from Emory University.

What makes us different?

• Instant Download

• Always Competitive Pricing

• 100% Privacy

• FREE Sample Available

• 24-7 LIVE Customer Support