Professional Documents
Culture Documents
Download textbook Contemporary Security Management Fourth Edition David Patterson ebook all chapter pdf
Download textbook Contemporary Security Management Fourth Edition David Patterson ebook all chapter pdf
https://textbookfull.com/product/college-accounting-a-
contemporary-approach-fourth-edition-m-david-haddock/
https://textbookfull.com/product/urban-drainage-fourth-edition-
david-butler/
https://textbookfull.com/product/contemporary-container-security-
girish-gujar/
https://textbookfull.com/product/computer-organization-and-
design-the-hardware-software-interface-risc-v-edition-david-a-
patterson/
Computer Organization and Design RISC V Edition The
Hardware Software Interface David A. Patterson
https://textbookfull.com/product/computer-organization-and-
design-risc-v-edition-the-hardware-software-interface-david-a-
patterson/
https://textbookfull.com/product/introduction-to-electrodynamics-
fourth-edition-david-j-griffiths/
https://textbookfull.com/product/film-history-an-introduction-
fourth-edition-david-bordwell/
https://textbookfull.com/product/the-standard-for-program-
management-fourth-edition-project-management-institute/
https://textbookfull.com/product/the-standard-for-program-
management-fourth-edition-project-management-institute-2/
Contemporary Security
Management
Contemporary Security
Management
Fourth Edition
John J. Fay
David Patterson
Butterworth-Heinemann is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom
50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States
Copyright r 2018 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or any information storage and retrieval system, without permission in writing
from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies
and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency,
can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than
as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our
understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any
information, methods, compounds, or experiments described herein. In using such information or methods they
should be mindful of their own safety and the safety of others, including parties for whom they have a professional
responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for
any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any
use or operation of any methods, products, instructions, or ideas contained in the material herein.
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress
ISBN: 978-0-12-809278-1
CHAPTER 12 Managing Access Control . . . . . . ....... .. . . . .. ....... . .... . . . . . . . ... ... .. . . 211
.
Comfort Level .... ... ............ .................... ..... . ......... . ... 223
Pros and Cons ........... ............................... .............................. 223
System Features .. ....................... ............... .................. ....... 224
Managing a Purchase .............................. ................................... 224 .
Refere n ces . . " " " .. "" ....... . . . . . . . . . . "",,. " " " " " " ............ " . . . . " .......... . . . . 300
CHAPTER 22 Vulnera bility Assessm enl... . . . . .. .... . ... ....... ...... . . .. .... ... . . . . . . . . 463
.. ..
I N DEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Introduction
xxiii
CHAPTER 1
INTRODUCTION
Security was essential to civilization in its earliest stages. During the late
Stone Age (Neolithic Period) when settlements were created and people
made the transition from hunters to farmers, they created villages with forti-
fied living areas for individual families. The villages had many physical bar-
riers for protection against the risk at the time which was being attacked by
people from another village. Walls, posts, thick enclosures, heavy doors with
stout closures, animals, moats, and traps all served to protect communities
from attack from their enemies. Therefore, even at these ancient times, a vari-
ety of physical security resources were employed to mitigate their risks
(Saint-Blanquat, 1986).
The earliest alarms to signal the approach of strangers were animate, and
communications depended upon smoke and light signals. In the modern
era, Information Technology (IT) traces its origins to the patent of the tele-
graph by William Cooke and Charles Wheatstone in 1836. Remote voice
communication became possible by Alexander Graham Bell’s development
of the telephone in 1876 (Greer, 1979; Grosvenor, 1997).
The alarm industry grew in tandem with the telephone. Edwin T. Holmes
was able to have cable for alarm connections laid at the same time cables for
telephones were being installed in buildings (Holmes, 1990). Wires histori-
cally transmitted alarm signals. These signals are transmitted over a 1
Contemporary Security Management. DOI: http://dx.doi.org/10.1016/B978-0-12-809278-1.00001-3
© 2018 Elsevier Inc. All rights reserved.
2 CHAPTER 1: Future of the Chief Security Officer
Since the network supports the enterprise data and workflow as well as the
security devices, the two concerns are now subjected to the same threats and
need to be considered together.
1970s
The 1970s was a timeframe in information security history largely untouched
by digital calamity but marked more so by the exploration of emerging tele-
communications technology. The first modern day hackers appeared as they
attempted to circumvent the system and make free phone calls, a practice
that became known as “phreaking.” Perhaps, the most publicly well-known
phreaker was John Draper, a.k.a. Captain Crunch, who helped pioneer the
practice. Draper was later arrested and convicted on charges related to his
nefarious phreaking activities multiple times.
1980s
The 1980s saw the birth of computer clubs. This decade subsequently ush-
ered in the era of malware, marking the first virus (named “Brain”) in 1986
6 CHAPTER 1: Future of the Chief Security Officer
as well as the infamous Morris Worm in 1988. The Computer Fraud and
Abuse Act was instituted in 1986 and for the first time, a computer hacker,
Kevin Poulsen, was featured on America’s Most Wanted. Poulsen was finally
arrested in 1991, after spending several years as a fugitive. Since his release
from prison, however, he has reinvented himself as a journalist and at one
point, regularly wrote for the online computer security news portal
SecurityFocus, which was purchased by Symantec in 2002.
1990s
The 1990s brought with it the dawn of the modern information security
industry. Notable threats witnessed during this decade included the
Michelangelo virus, Melissa, and Concept. Distributed denial of service
attacks and the bots that made them possible were also born, such as Trin00,
Tribal Flood Network, and Stacheldracht.
Beyond malware, America OnLine (AOL) suffered through the first real
phishing attacks as fraudsters aimed their efforts at stealing users' credentials.
Privacy watchdogs called out in concern as tracking cookies were born, allow-
ing ad networks to monitor user surfing behaviors in a rudimentary fashion.
2000s
The first decade of the 21st century saw malicious Internet activity turn into
a major criminal enterprise aimed at monetary gain. Adware and spyware
entered the scene with such programs as Conducent TimeSink, Aureate/
Radiate, and Comet Cursor.
Perhaps even more visible than adware and spyware, aggressively self-
propagating malware also appeared. Big name threats such as Code Red,
Nimda, Welchia, Slammer, and Conficker all began taking advantage of
unpatched machines. Phishing attacks also became mainstream; first heavily
targeting online banking then moving onto social networking sites. Zero-day
attacks, rootkits, rogue antispyware, SPIM, clickfraud and other attacks also
all made their mainstream debut in the current decade. (A brief history of
internet security—SCMagazine, http://www.scmagazine.com/a-brief-history-
of-internet-security//article/149611/ accessed January 29, 2016.)
OPERATIONAL VS STRATEGIC
In the past, both physical and IT security have been concerned with the oper-
ational needs of the organization such as controlling access to buildings and
computers; issuing identification credentials, and assigning and withdrawing
access rights to the facilities and computer files.
Convergence of Security 7
However, organizations need a way to focus and stay focused. They need a
precise strategy and well-executed action plan. The strategic plan in and of
itself cannot help organizations change and move ahead to capture more
market share, improve products, increase customer satisfaction, or improve
security. Effective strategic business planning requires a living process that
keeps the organization focused on the right issues. Management must dili-
gently define and redefine the essential components of a successful security
strategy; in addition, take the tactical actions necessary. The strategic planning
is the function that has been neglected in the security organization due to
operational commitments. The establishment of the Chief Security Officer
(CSO) has been a remarkable improvement in providing both the strategic
and operational focus.
Threats to the physical assets and the information assets identified as a result
of a threat analysis should be categorized and a corresponding security goal
defined for each category of threats. The set of security goals should be
revised periodically to ensure its adequacy and conformance with the
evolving organization environment. In addition to the four basic goals of
security—confidentiality, integrity, availability, and nonrepudiation—a
currently relevant set of security goals may include:
I Maintain a quality workforce
I Integrate technology tools
I Provide value-added services
I Offer specialized services
CONVERGENCE OF SECURITY
Convergence of security is defined as the integration of the management of
logical security, information security, physical security, business continuity,
disaster recovery, and health, safety, and environmental functions.
Logical security provides software safeguards for an organization, including
user identification and password controls, access rights, and authorization
levels. These measures ensure that only authorized users can perform actions
or access information across a network or to use a workstation.
Information security is the discipline of protecting sensitive information
from unauthorized access, improper use, disclosure, disruption, modifica-
tion, examination, inspection, recording, or destruction. It is a term for pro-
tecting the data, regardless of the form of the data (e.g., electronic data or
physical documents).
Physical security defines security measures that deny unauthorized access to
facilities, equipment, and resources, and to protect personnel, property, and
Another random document with
no related content on Scribd:
JASKA. Vest ja varjele, mitäs me koululla, me käytämme
vuorotellen Mesakin nokkalasia ja siitä saamme me viisautta yllin
kyllin. Eihän Tikkakaan tunne aata eikä oota, mutta kuitenkin on
hänestä tullut herrastuomari, ja se tahtoo sanoa paljon se tässä
matoisessa, maailmassa, missä on niin paljon matoja ja materialistia.
EPRA. Ha, niin paljon! No, minä annan kuusi vaikka se kirveleekin
sydäntäni. (Riisuu saappaansa ja kaivaa sukasta rahat.) Eikös se
Jaska vaan kurkistele, se on sellainen tirrisilmä. Ei mitään, ei
hiiskaustakaan tästä Jaskalle, sillä silloin se huutaa tämän kylille, ja
tänne tulee kaiken maailman käypäläisiä kerjäämään. Sillä minä olen
rutiköyhä, ei minun kannata, ei minun kannata, ja makkaratikkuihin
on mennyt paljon tarvepuita.
EPRA. Ha!
MAAILMAN-MATTI. Ha!
EPRA. Kas tuolta tulee Ansu, kyttää kai taas meidän Amaliaa,
mutta sen minä sanon, että asia on sitä laatua, että meidän tyttö on
sitä säätyä, ettei se rengin remmaksi sovi. Akianteri on toista maata,
sillä hän on lauluntaitosa ja pian hän saa ikipyöränkin valmiiksi. Minä
panenkin sen Ansun liehtomaan, niin Amalia saa olla rauhassa. —
Ja nyt minä menen hakemaan velivainaani ison viheriän
kirkkosateenvarjon. (Menee tupaan.)
JASKA. En minä ole rehti mies, enkä minä tässä maaliani tuhraa
sinun takiasi. (Heittää siveltimen.)
JUSTIINA. Joilla sinä lentäisit kyliä kello kaulassa, en, en! Ja mitäs
sinä tässä minun rahojani kärkyt, norko, kyllä minä ne itsekin
tarvitsen.
MAAILMAN-MATTI. Se liikkuu.
AKIANTERI. Siitä puuttuu joku niksi, mutta kyllä minä sen keksin,
ja silloin loistaa Aaretti Akianterin nimi kuin kuunsarvi kirkkaalla
taivaalla.