Academia.eduAcademia.edu

Outline

Title
Abstract
Common Threats: A Brief Overview
Security Objectives
Determining the Assessment's Scope and Methodology
Collecting and Analyzing Data
Risk Analysis Results
Interpreting Risk Analysis Results 63
What is a What If Analysis?
Uncertainty Analysis
Overview of the Computer System Life Cycle
Selecting Assurance Methods
Design and Implementation Assurance
Audit Methods and Tools
Monitoring Methods and Tools
Review of System Logs
Audit and Management Reviews
Automated Applications and Data
Preventing Future Damage
Identify Program Scope, Goals, and Objectives
Interception of Data
Data Categorization
Benefits and Objectives
Problem Analysis
Protecting Audit Trail Data
Review of Audit Trails
Tools for Audit Trail Analysis
Data Encryption
Selecting Design and Implementation Standards
Network-Related Threats
Protection Against Network-Related Threats
Vulnerabilities Related to Payroll Fraud
Vulnerabilities Related to Payroll Errors
Accidental Corruption and Loss of Data
Network-Related Vulnerabilities
Mitigating Network-Related Threats
Summary
References

An Introduction to Computer Security: The NIST Handbook

Profile image of Hồng ViệtHồng Việt

Abstract
sparkles

AI

This handbook provides guidance on securing computer-based resources including hardware, software, and information. It emphasizes the importance of understanding various security controls, their benefits, and cost considerations. The intended audience includes individuals with computer security responsibilities, particularly within the federal government, while the principles discussed are also applicable to the private sector.

Related papers

Information security handbook
Pablo Romanos

2006

This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided A-130, Appendix III. This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright regulations. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. 10 OMB, 'Federal Enterprise Architecture' (FEA), 2002.

View PDFchevron_right
Information Assurance and Security J. UCS Special Issue
Sugata Sanyal

2005

The global economic infrastructure is becoming increasingly dependent upon information technology, with computer and communication technology being essential and vital components of Government facilities, power plant systems, medical infrastructures, financial centres and military installations to name a few. Finding effective ways to protect information systems, networks and sensitive data within the critical information infrastructure is challenging even with the most advanced technology and trained professionals.

View PDFchevron_right
An introduction to information security
Michael Nieles

This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

View PDFchevron_right
Information Security Handbook: A Guide for Managers Technology Administration
Pablo Romanos

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of nonnational-security-related information in federal information systems. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations.

View PDFchevron_right
Computer and Network Security
Jaydip Sen

Individual chapters of this publication are distributed under the terms of the Creative Commons Attribution 3.0 Unported License which permits commercial use, distribution and reproduction of the individual chapters, provided the original author(s) and source publication are appropriately acknowledged. If so indicated, certain images may not be included under the Creative Commons license. In such cases users will need to obtain permission from the license holder to reproduce the material. More details and guidelines concerning content reuse and adaptation can be found at http://www.intechopen.com/copyright-policy.html. Notice Statements and opinions expressed in the chapters are these of the individual contributors and not necessarily those of the editors or publisher. No responsibility is accepted for the accuracy of information contained in the published chapters. The publisher assumes no responsibility for any damage or injury to persons or property arising out of the use of any materials, instructions, methods or ideas contained in the book.

View PDFchevron_right
Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology
San Tanaka

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

View PDFchevron_right
Role of Management and Policy Issues in Computer Security: Rand Report R-609 within Organization
Naoufal Raissouni

Transactions on Machine Learning and Artificial Intelligence, 2017

The need to provide strengthened Security for Information Systems within organization increases day after day seeing the large development of interconnection of the World Wide Web and the clear effect that results by the frequent and multiple productions of attacks and threats. This feebleness and gap in current information technologies urge researcher to face by developing more secure systems of Sharing Resources. The history of securing Information Systems began with the concept of Computer Security in its Global meaning Physical and NonPhysical. Thus, by 1967 the Department of Defense of USA published the R609 which is considered as the first step in the wide world of Information security including Securing the data, Limiting random and unauthorized access to that data and Involving personnel from multiple levels of the organization in information security. The purpose of this paper is to analyze and evaluate the role of management and policy issues in computer security that proposes Rand Report R609 within organization.

View PDFchevron_right
Aspects of computer security: A primer
Brent Stewart

Journal of Digital Imaging, 1999

As health care organizations continue on the path toward total digital operations, a topic often raised but not clearly understood is that of computer security. The reason for this is simply the vastness of the topic. Computers and networks are complex, and each service offered is a potential security hole. This article describes for the tay person the fundamental points of computer operation, how these can be points attacked, and how these attacks can be foiled-or at least detected. In addition, a taxonomy that should aid system administrators to evaluate and strengthen their systems is described.

View PDFchevron_right
What is computer security?
Rutuja Patil

Security & Privacy, IEEE, 2003

View PDFchevron_right
Review of Computer Systems Security: A Study
Professor Gabriel Kabanda

Review of Computer Systems Security: A Study, 2018

View PDFchevron_right

References (166)

  1. Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
  2. Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993.
  3. Garfinkel, S., and G. Spafford. Practical UNIX Security. Sebastopol, CA: O'Riley & Associates, Inc., 1991. Institute of Internal Auditors Research Foundation. System Auditability and Control Report. Altamonte Springs, FL: The Institute of Internal Auditors, 1991. National Research Council. Computers at Risk: Safe Computing in the Information Age. Washington, DC: National Academy Press, 1991.
  4. Pfleeger, Charles P. Security in Computing. Englewood Cliffs, NJ: Prentice Hall, 1989.
  5. Russell, Deborah, and G.T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
  6. Ruthberg, Z., and Tipton, H., eds. Handbook of Information Security Management. Boston, MA: Auerbach Press, 1993. References Organisation for Economic Co-operation and Development. Guidelines for the Security of Information Systems. Paris, 1992. References
  7. Wood, Charles Cresson. "How to Achieve a Clear Definition of Responsibilities for Information Security." DATAPRO Information Security Service, IS115-200-101, 7 pp. April 1993. References House Committee on Science, Space and Technology, Subcommittee on Investigations and Oversight. Bugs in the Program: Problems in Federal Government Computer Software Development and Regulation. 101st Congress, 1st session, August 3, 1989. National Research Council. Computers at Risk: Safe Computing in the Information Age. Washington, DC: National Academy Press, 1991. National Research Council. Growing Vulnerability of the Public Switched Networks: Implication for National Security Emergency Preparedness. Washington, DC: National Academy Press, 1989. Neumann, Peter G. Computer-Related Risks. Reading, MA: Addison-Wesley, 1994.
  8. Schwartau, W. Information Warfare. New York, NY: Thunders Mouth Press, 1994 (Rev. 1995).
  9. Sprouse, Martin, ed. Sabotage in the American Workplace: Anecdotes of Dissatisfaction, Mischief, and Revenge. San Francisco, CA: Pressure Drop Press, 1992. References
  10. Howe, D. "Information System Security Engineering: Cornerstone to the Future." Proceedings of the 15th National Computer Security Conference. Baltimore, MD, Vol. 1, October 15, 1992. pp. 244-251.
  11. Fites, P., and M. Kratz. "Policy Development." Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993. pp. 411-427.
  12. Lobel, J. "Establishing a System Security Policy." Foiling the System Breakers. New York, NY: McGraw-Hill, 1986. pp. 57-95.
  13. Menkus, B. "Concerns in Computer Security." Computers and Security. 11(3), 1992. pp. 211-215.
  14. Office of Technology Assessment. "Federal Policy Issues and Options." Defending Secrets, Sharing Data: New Locks for Electronic Information. Washington, DC: U.S Congress, Office of Technology Assessment, 1987. pp. 151-160.
  15. Office of Technology Assessment. "Major Trends in Policy Development." Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information. Washington, DC: U.S. Congress, Office of Technology Assessment, 1987. p. 131-148.
  16. O'Neill, M., and F. Henninge, Jr. "Understanding ADP System and Network Security Considerations and Risk Analysis." ISSA Access. 5(4), 1992. pp. 14-17.
  17. Peltier, Thomas. "Designing Information Security Policies That Get Results." Infosecurity News. 4(2), 1993. pp. 30-31.
  18. President's Council on Management Improvement and the President's Council on Integrity and Efficiency. Model Framework for Management Control Over Automated Information System. Washington, DC: President's Council on Management Improvement, January 1988.
  19. Smith, J. "Privacy Policies and Practices: Inside the Organizational Maze." Communications of the ACM. 36(12), 1993. pp. 104-120.
  20. Sterne, D. F. "On the Buzzword `Computer Security Policy.'" In Proceedings of the 1991 IEEE Symposium on Security and Privacy, Oakland, CA: May 1991. pp. 219-230.
  21. Wood, Charles Cresson. "Designing Corporate Information Security Policies." DATAPRO Reports on Information Security, April 1992. References Federal Information Resources Management Regulations, especially 201-2. General Services Administration. Washington, DC. General Accounting Office. Automated Systems Security Federal Agencies Should Strengthen Safeguards Over Personal and Other Sensitive Data. GAO Report LCD 78-123. Washington, DC. 1978.
  22. General Services Administration. Information Resources Security: What Every Federal Manager Should Know. Washington, DC.
  23. Helsing, C., M. Swanson, and M. Todd. Executive Guide to the Protection of Information Resources., Special Publication 500-169. Gaithersburg, MD: National Institute of Standards and Technology, 1989.
  24. Helsing, C., M. Swanson, and M. Todd. Management Guide for the Protection of Information Resources. Special Publication 500-170. Gaithersburg, MD: National Institute of Standards and Technology, 1989.
  25. "Managing an Organization Wide Security Program." Computer Security Institute, San Francisco, CA. (course)
  26. Office of Management and Budget. "Guidance for Preparation of Security Plans for Federal Computer Systems That Contain Sensitive Information." OMB Bulletin 90-08. Washington, DC, 1990. Office of Management and Budget. Management of Federal Information Resources. OMB Circular A-130.
  27. Owen, R., Jr. "Security Management: Using the Quality Approach." Proceedings of the 15th National Computer Security Conference. Baltimore, MD: Vol. 2, 1992. pp. 584-592.
  28. Spiegel, L. "Good LAN Security Requires Analysis of Corporate Data." Infoworld. 15(52), 1993. p. 49. References
  29. Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
  30. Carroll, J.M. Managing Risk: A Computer-Aided Strategy. Boston, MA: Butterworths 1984.
  31. Gilbert, Irene. Guide for Selecting Automated Risk Analysis Tools. Special Publication 500-174.
  32. Gaithersburg, MD: National Institute of Standards and Technology, October 1989.
  33. Jaworski, Lisa. "Tandem Threat Scenarios: A Risk Assessment Approach." Proceedings of the 16th National Computer Security Conference, Baltimore, MD: Vol. 1, 1993. pp. 155-164.
  34. Katzke, Stuart. "A Framework for Computer Security Risk Management." 8th Asia Pacific Information Systems Control Conference Proceedings. EDP Auditors Association, Inc., Singapore, October 12-14, 1992.
  35. Levine, M. "Audit Serve Security Evaluation Criteria." Audit Vision. 2(2), 1992. pp. 29-40. References Communications Security Establishment. A Framework for Security Risk Management in Information Technology Systems. Canada.
  36. Dykman, Charlene A. ed., and Charles K. Davis, asc. ed. Control Objectives Controls in an Information Systems Environment: Objectives, Guidelines, and Audit Procedures. (fourth edition). Carol Stream, IL: The EDP Auditors Foundation, Inc., April 1992.
  37. Guttman, Barbara. Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials. Special Publication 800-4. Gaithersburg, MD: National Institute of Standards and Technology, March 1992. Institute of Internal Auditors Research Foundation. System Auditability and Control Report. Altamonte Springs, FL: The Institute of Internal Auditors, 1991.
  38. Murphy, Michael, and Xenia Ley Parker. Handbook of EDP Auditing, especially Chapter 2 "The Auditing Profession," and Chapter 3, "The EDP Auditing Profession." Boston, MA: Warren, Gorham & Lamont, 1989. National Bureau of Standards. Guideline for Computer Security Certification and Accreditation. Federal Information Processing Standard Publication 102. September 1983. National Institute of Standards and Technology. "Disposition of Sensitive Automated Information." Computer Systems Laboratory Bulletin. October 1992. National Institute of Standards and Technology. "Sensitivity of Information." Computer Systems Laboratory Bulletin. November 1992. Office of Management and Budget. "Guidance for Preparation of Security Plans for Federal Computer Systems That Contain Sensitive Information." OMB Bulletin 90-08. 1990.
  39. Ruthberg, Zella G, Bonnie T. Fisher and John W. Lainhart IV. System Development Auditor. Oxford, England: Elsevier Advanced Technology, 1991.
  40. Ruthberg, Z., et al. Guide to Auditing for Controls and Security: A System Development Life Cycle Approach. Special Publication 500-153. Gaithersburg, MD: National Bureau of Standards. April 1988.
  41. Vickers Benzel, T. C. Developing Trusted Systems Using DOD-STD-2167A. Oakland, CA: IEEE Computer Society Press, 1990.
  42. Wood, C. "Building Security Into Your System Reduces the Risk of a Breach." LAN Times, 10(3), 1993. p 47. References
  43. Borsook, P. "Seeking Security." Byte. 18(6), 1993. pp. 119-128.
  44. Dykman, Charlene A. ed., and Charles K. Davis, asc. ed. Control Objectives Controls in an Information Systems Environment: Objectives, Guidelines, and Audit Procedures. (fourth edition). Carol Stream, IL: The EDP Auditors Foundation, Inc., April 1992.
  45. Farmer, Dan and Wietse Venema. "Improving the Security of Your Site by Breaking Into It." Available from FTP.WIN.TUE.NL. 1993.
  46. Guttman, Barbara. Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials. Special Publication 800-4. Gaithersburg, MD: National Institute of Standards and Technology, March 1992.
  47. Howe, D. "Information System Security Engineering: Cornerstone to the Future." Proceedings of the 15th National Computer Security Conference, Vol 1. (Baltimore, MD) Gaithersburg, MD: National Institute of Standards and Technology, 1992. pp. 244-251.
  48. Levine, M. "Audit Serve Security Evaluation Criteria." Audit Vision. 2(2). 1992, pp. 29-40. National Bureau of Standards. Guideline for Computer Security Certification and Accreditation. Federal Information Processing Standard Publication 102. September 1983. National Bureau of Standards. Guideline for Lifecycle Validation, Verification, and Testing of Computer Software. Federal Information Processing Standard Publication 101. June 1983. National Bureau of Standards. Guideline for Software Verification and Validation Plans. Federal Information Processing Standard Publication 132. November 1987.
  49. Nuegent, W., J. Gilligan, L. Hoffman, and Z. Ruthberg. Technology Assessment: Methods for Measuring the Level of Computer Security. Special Publication 500-133. Gaithersburg, MD: National Bureau of Standards, 1985.
  50. Peng, Wendy W., and Dolores R. Wallace. Software Error Analysis. Special Publication 500-209.
  51. Gaithersburg, MD: National Institute of Standards and Technology, 1993.
  52. Peterson, P. "Infosecurity and Shrinking Media." ISSA Access. 5(2), 1992. pp. 19-22.
  53. Pfleeger, C., S. Pfleeger, and M. Theofanos, "A Methodology for Penetration Testing." Computers and Security. 8(7), 1989. pp. 613-620.
  54. Polk, W. Timothy, and Lawrence Bassham. A Guide to the Selection of Anti-Virus Tools and Techniques. Special Publication 800-5. Gaithersburg, MD: National Institute of Standards and Technology, December 1992.
  55. Polk, W. Timothy. Automated Tools for Testing Computer System Vulnerability. Special Publication 800-6. Gaithersburg, MD: National Institute of Standards and Technology, December 1992. President's Council on Integrity and Efficiency. Review of General Controls in Federal Computer Systems. Washington, DC: President's Council on Integrity and Efficiency, October 1988. President's Council on Management Improvement and the President's Council on Integrity and Efficiency. Model Framework for Management Control Over Automated Information System. Washington, DC: President's Council on Management Improvement, January 1988.
  56. Ruthberg, Zella G, Bonnie T. Fisher and John W. Lainhart IV. System Development Auditor. Oxford, England: Elsevier Advanced Technology, 1991.
  57. Ruthburg, Zella, et al. Guide to Auditing for Controls and Security: A System Development Life Cycle Approach. Special Publication 500-153. Gaithersburg, MD: National Bureau of Standards, April 1988.
  58. Strategic Defense Initiation Organization. Trusted Software Methodology. Vols. 1 and II. SDI-S- SD-91-000007. June 17, 1992.
  59. Wallace, Dolores, and J.C. Cherniasvsky. Guide to Software Acceptance. Special Publication 500- 180.
  60. Gaithersburg, MD: National Institute of Standards and Technology, April 1990.
  61. Wallace, Dolores, and Roger Fugi. Software Verification and Validation: Its Role in Computer Assurance and Its Relationship with Software Product Management Standards. Special Publication 500-165. Gaithersburg, MD: National Institute of Standards and Technology, September 1989.
  62. Wallace, Dolores R., Laura M. Ippolito, and D. Richard Kuhn. High Integrity Software Standards and Guidelines. Special Publication 500-204. Gaithersburg, MD: National Institute of Standards and Technology, 1992.
  63. Wood, C., et al. Computer Security: A Comprehensive Controls Checklist. New York, NY: John Wiley & Sons, 1987.
  64. Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993. (See especially Chapter 6.) National Institute of Standards and Technology. "Security Issues in Public Access Systems." Computer Systems Laboratory Bulletin. May 1993.
  65. North, S. "To Catch a `Crimoid.'" Beyond Computing. 1(1), 1992. pp. 55-56.
  66. Pankau, E. "The Consummate Investigator." Security Management. 37(2), 1993. pp. 37-41.
  67. Schou, C., W. Machonachy, F. Lynn McNulty, and A. Chantker. "Information Security Professionalism for the 1990s." Computer Security Journal. 9(1), 1992. pp. 27-38.
  68. Wagner, M. "Possibilities Are Endless, and Frightening." Open Systems Today. November 8 (136), 1993. pp. 16-17.
  69. Wood, C. "Be Prepared Before You Fire." Infosecurity News. 5(2), 1994. pp. 51-54.
  70. Wood, C. "Duress, Terminations and Information Security." Computers and Security. 12(6), 1993. pp. 527-535.
  71. Alexander, M. ed. "Guarding Against Computer Calamity." Infosecurity News. 4(6), 1993. pp. 26-37.
  72. Coleman, R. "Six Steps to Disaster Recovery." Security Management. 37(2), 1993. pp. 61-62.
  73. Dykman, C., and C. Davis, eds. Control Objectives -Controls in an Information Systems Environment: Objectives, Guidelines, and Audit Procedures, fourth edition. Carol Stream, IL: The EDP Auditors Foundation, Inc., 1992 (especially Chapter 3.5).
  74. Fites, P., and M. Kratz, Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993 (esp. Chapter 4, pp. 95-112).
  75. FitzGerald, J. "Risk Ranking Contingency Plan Alternatives." Information Executive. 3(4), 1990. pp. 61-63.
  76. Helsing, C. "Business Impact Assessment." ISSA Access. 5(3), 1992, pp. 10-12.
  77. Isaac, I. Guide on Selecting ADP Backup Process Alternatives. Special Publication 500-124.
  78. Gaithersburg, MD: National Bureau of Standards, November 1985.
  79. Kabak, I., and T. Beam, "On the Frequency and Scope of Backups." Information Executive, 4(2), 1991. pp. 58-62.
  80. Kay, R. "What's Hot at Hotsites?" Infosecurity News. 4(5), 1993. pp. 48-52.
  81. Lainhart, J., and M. Donahue. Computerized Information Systems (CIS) Audit Manual: A Guideline to CIS Auditing in Governmental Organizations. Carol Stream, IL: The EDP Auditors Foundation Inc., 1992. National Bureau of Standards. Guidelines for ADP Contingency Planning. Federal Information Processing Standard 87. 1981.
  82. Rhode, R., and J. Haskett. "Disaster Recovery Planning for Academic Computing Centers." Communications of the ACM. 33(6), 1990. pp. 652-657.
  83. Brand, Russell L. Coping With the Threat of Computer Security Incidents: A Primer from Prevention Through Recovery. July 1989.
  84. Fedeli, Alan. "Organizing a Corporate Anti-Virus Effort." Proceedings of the Third Annual Computer VIRUS Clinic, Nationwide Computer Corp. March 1990.
  85. Holbrook, P., and J. Reynolds, eds. Site Security Handbook. RFC 1244 prepared for the Internet Engineering Task Force, 1991. FTP from csrc.nist.gov:/put/secplcy/rfc1244.txt. National Institute of Standards and Technology. "Establishing a Computer Security Incident Response Capability." Computer Systems Laboratory Bulletin. Gaithersburg, MD. February 1992.
  86. Padgett, K. Establishing and Operating an Incident Response Team. Los Alamos, NM: Los Alamos National Laboratory, 1992.
  87. Pethia, Rich, and Kenneth van Wyk. Computer Emergency Response -An International Problem. 1990. Quarterman, John. The Matrix -Computer Networks and Conferencing Systems Worldwide. Digital Press, 1990.
  88. Scherlis, William, S. Squires, and R. Pethia. Computer Emergency Response. 1989.
  89. Schultz, E., D. Brown, and T. Longstaff. Responding to Computer Security Incidents: Guidelines for Incident Handling. University of California Technical Report UCRL-104689, 1990. Proceedings of the Third Invitational Workshop on Computer Security Incident Response. August 1991.
  90. Wack, John. Establishing an Incident Response Capability. Special Publication 800-3.
  91. Gaithersburg, MD: National Institute of Standards and Technology. November 1991. References
  92. Alexander, M. ed. "Multimedia Means Greater Awareness." Infosecurity News. 4(6), 1993. pp. 90-94.
  93. Burns, G.M. "A Recipe for a Decentralized Security Awareness Program." ISSA Access. Vol. 3, Issue 2, 2nd Quarter 1990. pp. 12-54.
  94. Code of Federal Regulations. 5 CFR 930. Computer Security Training Regulation.
  95. Flanders, D. "Security Awareness -A 70% Solution." Fourth Workshop on Computer Security Incident Handling, August 1992.
  96. Isaacson, G. "Security Awareness: Making It Work." ISSA Access. 3(4), 1990. pp. 22-24. National Aeronautics and Space Administration. Guidelines for Development of Computer Security Awareness and Training (CSAT) Programs. Washington, DC. NASA Guide 2410.1. March 1990.
  97. Maconachy, V. "Computer Security Education, Training, and Awareness: Turning a Philosophical Orientation Into Practical Reality." Proceedings of the 12th National Computer Security Conference. National Institute of Standards and Technology and National Computer Security Center. Washington, DC. October 1989.
  98. Maconachy, V. "Panel: Federal Information Systems Security Educators' Association (FISSEA)." Proceeding of the 15th National Computer Security Conference. National Institute of Standards and Technology and National Computer Security Center. Baltimore, MD. October 1992.
  99. Suchinsky, A. "Determining Your Training Needs." Proceedings of the 13th National Computer Security Conference. National Institute of Standards and Technology and National Computer Security Center. Washington, DC. October 1990.
  100. Todd, M.A. and Guitian C. "Computer Security Training Guidelines." Special Publication 500- 172.
  101. Gaithersburg, MD: National Institute of Standards and Technology. November 1989.
  102. U.S. Department of Energy. Computer Security Awareness and Training Guideline (Vol. 1). Washington, DC. DOE/MA-0320. February 1988.
  103. Wells, R.O. "Security Awareness for the Non-Believers." ISSA Access. Vol. 3, Issue 2, 2nd Quarter 1990. pp. 10-61.
  104. Bicknell, Paul. "Data Security for Personal Computers." Proceedings of the 15th National Computer Security Conference. Vol. I. National Institute of Standards and Technology and National Computer Security Center. Baltimore, MD. October 1992.
  105. Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
  106. Carnahan, Lisa J. "A Local Area Network Security Architecture." Proceedings of the 15th National Computer Security Conference. Vol. I. National Institute of Standards and Technology and National Computer Security Center. Baltimore, MD. 1992.
  107. Carroll, J.M. Managing Risk: A Computer-Aided Strategy. Boston, MA: Butterworths, 1984.
  108. Chapman, D. Brent. "Network (In)Security Through IP Packet Filtering." Proceedings of the 3rd USENIX UNIX Security Symposium, 1992.
  109. Curry, David A. UNIX System Security: A Guide for Users and System Administrators. Reading, MA: Addison-Wesley Publishing Co., Inc., 1992.
  110. Garfinkel, Simson, and Gene Spafford. Practical UNIX Security. Sebastopol, CA: O'Reilly & Associates, 1991.
  111. Holbrook, Paul, and Joyce Reynolds, eds. Site Security Handbook. Available by anonymous ftp References
  112. Alexander, M., ed. "Secure Your Computers and Lock Your Doors." Infosecurity News. 4(6), 1993. pp. 80-85.
  113. Archer, R. "Testing: Following Strict Criteria." Security Dealer. 15(5), 1993. pp. 32-35.
  114. Breese, H., ed. The Handbook of Property Conservation. Norwood, MA: Factory Mutual Engineering Corp.
  115. Chanaud, R. "Keeping Conversations Confidential." Security Management. 37(3), 1993. pp. 43-48.
  116. Miehl, F. "The Ins and Outs of Door Locks." Security Management. 37(2), 1993. pp. 48-53. National Bureau of Standards. Guidelines for ADP Physical Security and Risk Management. Federal Information Processing Standard Publication 31. June 1974.
  117. Peterson, P. "Infosecurity and Shrinking Media." ISSA Access. 5(2), 1992. pp. 19-22.
  118. Roenne, G. "Devising a Strategy Keyed to Locks." Security Management. 38(4), 1994. pp. 55-56.
  119. Zimmerman, J. "Using Smart Cards -A Smart Move." Security Management. 36(1), 1992. pp. 32-36.
  120. Alexander, M., ed. "Keeping the Bad Guys Off-Line." Infosecurity News. 4(6), 1993. pp. 54-65.
  121. American Bankers Association. American National Standard for Financial Institution Sign-On Authentication for Wholesale Financial Transactions. ANSI X9.26-1990. Washington, DC, February 28, 1990.
  122. CCITT Recommendation X.509. The Directory -Authentication Framework. November 1988 (Developed in collaboration, and technically aligned, with ISO 9594-8). Department of Defense. Password Management Guideline. CSC-STD-002-85. April 12, 1985.
  123. Feldmeier, David C., and Philip R. Kam. "UNIX Password Security -Ten Years Later." Crypto '89 Abstracts. Santa Barbara, CA: Crypto '89 Conference, August 20-24, 1989.
  124. Haykin, Martha E., and Robert B. J. Warnar. Smart Card Technology: New Methods for Computer Access Control. Special Publication 500-157. Gaithersburg, MD: National Institute of Standards and Technology, September 1988.
  125. Kay, R. "Whatever Happened to Biometrics?" Infosecurity News. 4(5), 1993. pp. 60-62. National Bureau of Standards. Password Usage. Federal Information Processing Standard Publication 112. May 30, 1985. National Institute of Standards and Technology. Automated Password Generator. Federal Information Processing Standard Publication 181. October, 1993. National Institute of Standards and Technology. Guideline for the Use of Advanced Authentication Technology Alternatives. Federal Information Processing Standard Publication 190. October, 1994.
  126. Salamone, S. "Internetwork Security: Unsafe at Any Node?" Data Communications. 22(12), 1993. pp. 61-68.
  127. Sherman, R. "Biometric Futures." Computers and Security. 11(2), 1992. pp. 128-133.
  128. Smid, Miles, James Dray, and Robert B. J. Warnar. "A Token-Based Access Control System for Computer Networks." Proceedings of the 12th National Commuter Security Conference. National Institute of Standards and Technology, October 1989.
  129. Steiner, J.O., C. Neuman, and J. Schiller. "Kerberos: An Authentication Service for Open Network Systems." Proceedings Winter USENIX. Dallas, Texas, February 1988. pp. 191-202.
  130. Troy, Eugene F. Security for Dial-Up Lines. Special Publication 500-137, Gaithersburg, MD: National Bureau of Standards, May 1986. Example of Advanced ACL for the file "payroll" PAYMGR: R, W, E, D J. Anderson: R, W, E, - L. Carnahan: -, -, -, - B. Guttman: R, W, E, - E. Roback: R, W, E, - H. Smith: R, -, -, - PAY-OFFICE: R, -, -, -
  131. Menu-driven systems are a common constrained user interface, where different users are provided different menus on the same system. available to be read by "world." This may disclose information that should be restricted. Unfortunately, elementary ACLs have no mechanism to easily permit such sharing.
  132. Advanced ACLs. Like elementary ACLs, advanced ACLs provide a form of access control based upon a logical registry. They do, however, provide finer precision in control. References
  133. Abrams, M.D., et al. A Generalized Framework for Access Control: An Informal Description. McLean, VA: Mitre Corporation, 1990.
  134. Baldwin, R.W. "Naming and Grouping Privileges to Simplify Security Management in Large Databases." 1990 IEEE Symposium on Security and Privacy Proceedings. Oakland, CA: IEEE Computer Society Press, May 1990. pp. 116-132.
  135. Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
  136. Cheswick, William, and Steven Bellovin. Firewalls and Internet Security. Reading, MA: Addison- Wesley Publishing Company, 1994.
  137. Curry, D. Improving the Security of Your UNIX System, ITSTD-721-FR-90-21. Menlo Park, CA: SRI International, 1990.
  138. Dinkel, Charles. Secure Data Network System Access Control Documents. NISTIR 90-4259.
  139. Gaithersburg, MD: National Institute of Standards and Technology, 1990.
  140. Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993. Especially Chapters 1, 9, and 12.
  141. Garfinkel, S., and Spafford, G. "UNIX Security Checklist." Practical UNIX Security. Sebastopol, CA: O'Riley & Associates. Inc., 1991. pp. 401-413.
  142. Gasser, Morrie. Building a Secure Computer System. New York, NY: Van Nostrand Reinhold, 1988.
  143. Haykin, M., and R. Warner. Smart Card Technology: New Methods for Computer Access Control. Spec Pub 500-157. Gaithersburg, MD: National Institute of Standards and Technology, 1988.
  144. Landwehr, C., C. Heitmeyer, and J. McLean. "A Security Model for Military Message Systems." ACM Transactions on Computer Systems, Vol. 2, No. 3, August 1984. National Bureau of Standards. Guidelines for Security of Computer Applications. Federal Information Processing Standard Publication 73. June 1980.
  145. Pfleeger, Charles. Security in Computing. Englewood Cliffs, NJ: Prentice-Hall, Inc., 1989. President's Council on Integrity and Efficiency. Review of General Controls in Federal Computer Systems. Washington, DC: President's Council on Integrity and Efficiency, October 1988.
  146. S. Salamone, "Internetwork Security: Unsafe at Any Node?" Data Communications. 22(12), 1993. pp. 61-68.
  147. Sandhu, R. "Transaction Control Expressions for Separation of Duty." Fourth Annual Computer Security Applications Conference Proceedings. Orlando, FL, December 1988, pp. 282-286.
  148. Thomsen, D.J. "Role-based Application Design and Enforcement." Fourth IFIP Workshop on Database Security Proceedings. International Federation for Information Processing, Halifax, England, September 1990.
  149. T. Whiting. "Understanding VAX/VMS Security." Computers and Security. 11(8), 1992. pp. 695-698. Sample System Log File Showing Authentication Messages Jan 27 17:14:04 host1 login: ROOT LOGIN console Jan 27 17:15:04 host1 shutdown: reboot by root Jan 27 17:18:38 host1 login: ROOT LOGIN console Jan 27 17:19:37 host1 reboot: rebooted by root Jan 28 09:46:53 host1 su: 'su root' succeeded for user1 on /dev/ttyp0 Jan 28 09:47:35 host1 shutdown: reboot by user1 Jan 28 09:53:24 host1 su: 'su root' succeeded for user1 on /dev/ttyp1 Feb 12 08:53:22 host1 su: 'su root' succeeded for user1 on /dev/ttyp1 Feb 17 08:57:50 host1 date: set by user1 Feb 17 13:22:52 host1 su: 'su root' succeeded for user1 on /dev/ttyp0 Application-Level Audit Record for a Mail Delivery System Apr 9 11:20:22 host1 AA06370: from=<user2@host2>, size=3355, class=0 Apr 9 11:20:23 host1 AA06370: to=<user1@host1>, delay=00:00:02, stat=Sent Apr 9 11:59:51 host1 AA06436: from=<user4@host3>, size=1424, class=0 Apr 9 11:59:52 host1 AA06436: to=<user1@host1>, delay=00:00:02, stat=Sent Apr 9 12:43:52 host1 AA06441: from=<user2@host2>, size=2077, class=0 Apr 9 12:43:53 host1 AA06441: to=<user1@host1>, delay=00:00:01, stat=Sent References
  150. Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York: Van Nostrand Reinhold, 1993, (especially Chapter 12, pp. 331 -350).
  151. Kim, G., and E. Spafford, "Monitoring File System Integrity on UNIX Platforms." Infosecurity News. 4(4), 1993. pp. 21-22.
  152. Lunt, T. "Automated Audit Trail Analysis for Intrusion Detection," Computer Audit Update, April 1992. pp. 2-8.
  153. National Computer Security Center. A Guide to Understanding Audit in Trusted Systems. NCSC-TG-001, Version-2. Ft. Meade, MD, 1988. National Institute of Standards and Technology. "Guidance on the Legality of Keystroke Monitoring." CSL Bulletin. March 1993.
  154. Phillips, P. W. "New Approach Identifies Malicious System Activity." Signal. 46(7), 1992. pp. 65-66.
  155. Ruthberg, Z., et al. Guide to Auditing for Controls and Security: A System Development Life Cycle Approach. Special Publication 500-153. Gaithersburg, MD: National Bureau of Standards, 1988. Stoll, Clifford. The Cuckoo's Egg. New York, NY: Doubleday, 1989. References
  156. Alexander, M., ed. "Protecting Data With Secret Codes," Infosecurity News. 4(6), 1993. pp. 72-78.
  157. American Bankers Association. American National Standard for Financial Institution Key Management (Wholesale). ANSI X9.17-1985. Washington, DC., 1985.
  158. Denning, P., and D. Denning, "The Clipper and Capstone Encryption Systems." American Scientist. 81(4), 1993. pp. 319-323.
  159. Diffie, W., and M. Hellman. "New Directions in Cryptography." IEEE Transactions on Information Theory. Vol. IT-22, No. 6, November 1976. pp. 644-654.
  160. Duncan, R. "Encryption ABCs." Infosecurity News. 5(2), 1994. pp. 36-41.
  161. International Organization for Standardization. Information Processing Systems -Open Systems Interconnection Reference Model -Part 2: Security Architecture. ISO 7498/2. 1988.
  162. Meyer, C.H., and S. M. Matyas. Cryptography: A New Dimension in Computer Data Security. New York, NY: John Wiley & Sons, 1982.
  163. Schneier, B. "A Taxonomy of Encryption Algorithms." Computer Security Journal. 9(1), 1193. pp. 39-60.
  164. Schneier, B. "Four Crypto Standards." Infosecurity News. 4(2), 1993. pp. 38-39.
  165. Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C. New York, NY: John Wiley & Sons, Inc., 1994.
  166. U.S. Congress, Office of Technology Assessment. "Security Safeguards and Practices." Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information. Washington, DC: 1987, pp. 54-72.

Related papers

NIST Security Handbook
Alaa Katlan
View PDFchevron_right
HANDBOOK ON COMPUTER SECURITY
Abdulsalam Ayoade
View PDFchevron_right
Methods and Problems in Computer Security
Ronald Slivka, Joel Darrow

Rutgers Journal of Computers and the Law, 1976

RECOMMENDED STEPS IN ASSESSING SECURITY NEEDS INCLUDE DEFINING THE ASSETS REQUIRING PROTECTION, ENUMERATING POTENTIAL THREATS TO THE SECURITY OF ASSETS, AND ESTIMATING THE DEGREE OF SECURITY EXPOSURE OF EACH ASSET. A SYSTEM FOR REDUCING SECURITY EXPOSURES THROUGH APPLYING ELECTRONIC DATA PROCESSING SYSTEMS CONTROLS, PHYSICAL SECURITY CONTROLS, ADMINISTRATIVE CONTROLS AND LEGAL CONTROLS. A SUGGESTION IS MADE THAT A PERIODIC EVALUATION BY AUDITING TEAMS AND MANAGEMENT BE CONDUCTED. LEGAL AND TECHNOLOGICAL LIMITATIONS ON SECURITY SYSTEMS ARE EXPLAINED. A SELECT BIBLIOGRAPHY OF BOOKS AND ARTICLES ON COMPUTER SECURITY FROM SOURCES GENERALLY UNFAMILIAR TO MOST LAWYERS AND MANY OF WHICH CONTAIN REFERENCES TO LEGAL ISSUES AND CASE CITATIONS IS INCLUDED.

View PDFchevron_right
NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE
Jai Cyber
View PDFchevron_right
Computer and Network Security [Working Title]
Anu Gokhale

Individual chapters of this publication are distributed under the terms of the Creative Commons Attribution 3.0 Unported License which permits commercial use, distribution and reproduction of the individual chapters, provided the original author(s) and source publication are appropriately acknowledged. If so indicated, certain images may not be included under the Creative Commons license. In such cases users will need to obtain permission from the license holder to reproduce the material. More details and guidelines concerning content reuse and adaptation can be found at http://www.intechopen.com/copyright-policy.html. Notice Statements and opinions expressed in the chapters are these of the individual contributors and not necessarily those of the editors or publisher. No responsibility is accepted for the accuracy of information contained in the published chapters. The publisher assumes no responsibility for any damage or injury to persons or property arising out of the use of any materials, instructions, methods or ideas contained in the book.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved