The Binomial Bookstore

THE COMPLETE GUIDE TO INTERNET SECURITY
by Mark S. Merkow, CCP and James Breithaupt

“What stands between your organization's computer systems and all the security threats that
lurk out there-or within your own walls? The first line of defense is security awareness. The
second is technological know-how. This authoritative book is your vital guide to both aspects
of Internet security, written by "infosec" professionals for two of America's most prominent
corporations.

“Practical and readable, it consolidates and distills into one convenient volume a vast amount
of security information on:
- Inherent vulnerabilities of Internet-attached networks
- Weaknesses of e-commerce sites
- Common hacker tools
- Insider attacks
- Physical and logical system security, including firewalls, routers, proxies, access
controls, intrusion detection, and policy-based networking
- Commercial security software
- Security settings for servers, user desktops, and database management
- Cryptography, and much more.”

====================================

“So you think your organization has taken every possible computer security precaution?
Despite your efforts, catastrophe may strike at any moment. Security problems are rampant,
given the interconnectedness of today's computer systems. Whether working from within or
without, at random or with malicious intent, hackers can wreak havoc on your business within
seconds. Your systems are also easy prey for corporate espionage, internal negligence,
technological accidents, and other potential disasters. The resulting damage can run to
millions of dollars, even billions for e-vendors, in lost revenues and recovery expenses.

“This comprehensive book is your one-stop guide to Internet security. Designed for all
information technology professionals-CIOs, security administrators and auditors, network
architects, systems analysts, and programmers-it shows how to analyze your company's
systems in terms of potential security risks. Then it explains how to design and implement a
well-thought-out security plan that covers every aspect of your technology needs.

“You'll begin by reviewing the fundamentals. The authors emphasize the need for a complete
corporate security policy that encompasses every part of the organization where data is
created, modified, stored, processed, or exchanged. You'll also look inside a hacker's toolbox
and test your own knowledge of the potential hazards out there.

“Paying special attention to Internet-attached networks and e-commerce systems, the
authors help you determine if your organization's current efforts are meeting industry
standards. They include a sample Internet security policy that your organization can adapt for
your own use.

“Next, you'll learn to launch or enhance an effective defense. The authors reveal how to
address the problems inherent in the testing of security products and take you deeper into
first-line security technologies including routers, firewalls, and intrusion detection systems. Of
special interest is a close examination of the newest framework for security threats - the
Common Vulnerabilities and Exposures (CVE) initiative.

“On the physical side of security, the book explores such essentials as access controls,
system monitoring, passwords, and the use of commercial software to protect information
resources. Following a proven model, you'll proceed step by step toward a layered approach
that protects your intranet and extranets, and secures all online transactions for your
customers.

“Are cryptosystems the solution to your e-security needs? You'll be able to determine for
yourself how much security is enough after a thorough investigation of transport layer
cryptography, digital signatures, private keys, smart cards, and biometrics.

“In short, The Complete Guide to Internet Security explains everything you need to know
about big picture security for your organization, without getting into micro-level details of
implementation. Use it to focus your search for appropriate solutions to your security
concerns-and to sleep better at night.”

====================================

CONTENTS

ACKNOWLEDGMENTS

1. BUILDING A FOUNDATION FOR INFORMATION SECURITY
Information Security in Context
A Security Policy That Sets the Stage for Success
The Four Types of Policies
Useful Hints for Policy Creation
An Executive's Guide to the Protection of Information Resources
The Program Elements of Information Protection
Implementation of the Information Protection Program
Summary

2. THE FUNDAMENTAL ELEMENTS OF SECURITY
No Single Solution but Planning
The New Need for Security
Principles for Building a Security Culture
Rolling Your Own Policies
An Ounce of Prevention Is Worth a Pound of Security

3. VULNERABILITIES TO INTERNET-ATTACHED NETWORKS
A Brief History of the Internet
The Vulnerabilities of Communications
Early Recommendations for New and Existing Internet Connections

4. HACKING ISN'T BEYOND THE CORPORATE PERIMETER
Uncertainty: The Worst of the Problems
The Role of Laziness and Incompetence
Basic Threats
Types of Hackers
Types of Hacking

5. PEEKING INSIDE A HACKER'S TOOLBOX
SATAN
Hacking Your Way through the Internet
Popular Hacking Tools
Testing Your Hacking IQ So What Can You Do to Save Yourself?

6. INSTRUMENTAL EFFECTS FOR SECURITY ASSURANCE
The Common Criteria (CC) for Information Technology Security Evaluation
The Conundrum of Security Testing
The National Information Assurance Partnership (NIAP)
The Common Evaluation Methodology (CEM)
NIAP Activities

7. SECURITY TECHNOLOGIES
Routers
Firewalls
Intrusion Detection Systems (IDSs)
Building Confidence with a Layered Approach to Security
CVE: A Common Framework for Computer Security Threats

8. PHYSICAL SECURITY CONTROL
Aspects of Physical Security

9. LOGICAL ACCESS CONTROL
Dimensions of Logical Access Control
Web Server Security
Logical Access Control Methods
Logical Access Control through Network Design
More Settings at the Server
Protect Yourself from Yourself

10. APPLICATION LAYER SECURITY
Intranets and Extranets
How Much E-Commerce Security Is Enough?
Secure Electronic Transaction (SET)
The Corporate Purchasing Landscape
Open Buying on the Internet

11. AN INTRODUCTION TO CRYPTOGRAPHY
Basic Terms and Concepts
Cryptosystems as the Answer to the Needs of Today's E-Commerce

12. TRANSPORT LAYER CRYPTOGRAPHY
The SSL Protocol
Virtual Private Networks
The Future of Network Transport

13. DIGITAL SIGNATURES AND PPK CRYPTOGRAPHY
Digital Certificates
Building an Infrastructure for the Use of Digital Certificates
Protecting Private Keys
Certificate Practice Statements
Developing a PKI

14. KEY MANAGEMENT CONSIDERATIONS
Principles of Secure Cryptosystems
What Threatens Cryptographic Systems?
Security Requirements for Cryptomodules
Choosing Hardware- or Software-Based Cryptomodules
The Layers of Cryptography
Hardware Assisted Cryptography

15. MULTIFACTOR ACCESS CONTROLS USING CRYPTOGRAPHY
SmartCards
Biometrics

16. MINDING THE STORE FOR THE LONG RUN
Government Resources
Reporting Internet-Related Crime
Security Vulnerability Scanning
Reinforcing Network Security Responsibilities
Conclusion

APPENDIX A. A SAMPLE INTERNET SECURITY POLICY
APPENDIX B. INTERNET BOOKMARKS TO SECURITY-RELATED SITES
APPENDIX C. SECURITY AND SECURITY-TESTING SPECIALISTS
APPENDIX D. SUGGESTED READINGS
APPENDIX E. GLOSSARY OF TERMS

Index

====================================

ABOUT THE AUTHORS

“MARK S. MERKOW, CCP, is the author of 4 previous computer books, including Virtual
Private Networks for Dummies, as well as dozens of articles in trade journals and e-zines
such as E-Commerce Outlook. He is an e-commerce security officer in the information
systems division of a major global financial services company. Mr. Merkow lives in Tempe,
Arizona.

“JAMES BREITHAUPT is coauthor (with Mark Merkow) of Building SET Applications for
Secure Transactions. Currently a project manager for a premier U.S. brokerage firm with a
top-rated online presence, he has extensive consulting experience in the financial services
industry. Mr. Breithaupt also teaches writing and literature courses at community colleges in
his home city of Phoenix.”

====================================

2000, 356 pages. Order #DR514.

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.