Contents Security Management ......................................3 Security Operations ..........................................9 (ISC)2 Press......................................................12 Information Security Management Handbook ..13 Page 4
Physical Security ............................................14
Page 10
Application Security ........................................15 Computer Forensics ........................................16 Audit ..............................................................18 Governance, Risk, and Compliance ................19 System Defense ..............................................21 InformationSecurityNetBASE ..........................23 Page 6
Page 19
Want to maximize your buying power? Order direct from our online store and
Receive FREE Standard Shipping Page 22
with every order, big or small.
Visit us at
www.crcpress.com
to view more information and complete tables of contents for these and many other related books.
MBNCIT0_MC_2.0410gtr
Page 8
Security Management Information Security Management Metrics A Definitive Guide to Effective Security Monitoring and Measurement W. Krag Brotby, CISM Enterprise Security Architect, Thousand Oaks, California,
Spectacular security failures continue to dominate the headlines despite huge increases in security budgets and ever-more draconian regulations. The 20/20 hindsight of audits is no longer an effective solution to security weaknesses and the necessity for real-time strategic metrics has never been more critical. Information Security Metrics: A Definitive Guide to Effective Security Monitoring and Measurement offers a radical new approach for developing and implementing security metrics essential for supporting business activities and managing information risk. This work provides insight into these critical security questions: • How secure is my organization? • How much security is enough? • What are the most cost-effective security solutions? • How do we determine the degree of risk? Using case studies, this volume shows readers how to develop metrics that can be used across an organization to assure its information systems are functioning, secure, and supportive of the organization’s business objectives. It provides a comprehensive overview of security metrics, discusses the current state of metrics in use today, and looks at promising new developments. Later chapters explore ways to develop effective strategic and management metrics for information security governance, risk management, program implementation and management, and incident management and response.
Complete Guide to Security and Privacy Metrics Measuring Regulatory Compliance, Operational Resilience, and ROI Debra S. Herrmann U.S. Nuclear Regulatory Commission, Washington, D.C., USA
While it has become increasingly apparent that individuals and organizations need a security metrics program, it has been exceedingly difficult to define exactly what that means in a given situation. Finding the correct formula for a specific scenario calls for a clear concise guide with which to navigate this sea of information. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI defines more than 900 ready-to-use metrics that measure compliance, resiliency, and return on investment. The author explains what needs to be measured, why and how to measure it, and how to tie security and privacy metrics to business goals and objectives. The book addresses measuring compliance with current legislation, regulations, andstandards in the United States, European Union, and Canada, including Sarbanes–Oxley, HIPAA, and the Data Protection Act-UK. The metrics covered are scaled by information sensitivity, asset criticality, and risk, and aligned to correspond with different lateral and hierarchical functions within an organization. The text includes numerous examples and sample reports to illustrate these concepts and stresses a complete assessment by evaluating the interaction and interdependence between physical, personnel, IT, and operational security controls. Catalog no. AU5402, 2007, 848 pp. ISBN: 978-0-8493-5402-1, $124.95 / £79.99
Catalog no. AU5285, 2009, 200 pp. ISBN: 978-1-4200-5285-5, $79.95 / £48.99
For more information and complete contents, visit www.crcpress.com
3
Security Management New!
Building an Effective Information Security Policy Architecture
Information Security Management Concepts and Practice
Sandy Bacik
Bel G. Raggad
Consultant, Fuquay Varina, North Carolina, USA
Information security teams are charged with developing and maintaining a set of documents that will protect the assets of an enterprise from constant threats and risks. In order for these safeguards and controls to be effective, they must suit the particular business needs of the enterprise. A guide for security professionals, Building an Effective Information Security Policy Architecture explains how to review, develop, and implement a security architecture for any size enterprise, whether it is a global company or a small or medium-sized business. Through the use of questionnaires and interviews, the book demonstrates how to evaluate an organization’s culture and its ability to meet various security standards and requirements. Because the effectiveness of a policy is dependent on cooperation and compliance, the author also provides tips on how to communicate the policy and gain support for it. Features: • Explains how to review an existing policy architecture • Provides a manual of style with sample document formatting • Demonstrates how to perform a risk analysis • Describes how to effectively communicate the policy architecture to an organization Suitable for any level of technical aptitude, this book can help professionals evaluate the business needs and risks of an enterprise and incorporate this information into an effective security policy architecture.
Pace University, Pleasantville, New York, USA
Information security cannot be effectively managed unless secure methods and standards are integrated into all phases of the information security life cycle. Although the international community has been aggressively engaged in developing security standards for network and information security worldwide, there are few texts that provide clear guidance on how to properly apply the new standards in conducting security audits and creating risk-driven information security programs. Information Security Management: Concepts and Practice provides a general overview of security auditing before examining the various elements of the information security life cycle. It explains the ISO 17799 standard and walks readers through the steps of conducting a nominal security audit that conforms to the standard. The text also provides detailed guidance for conducting an in-depth technical security audit leading to certification against the 27001 standard. Topics addressed include cyber security, security risk assessments, privacy rights, HIPAA, SOX, intrusion detection systems, security testing activities, cyber terrorism, and vulnerability assessments. This self-contained text is filled with review questions and real-world examples that illustrate effective implementation and security auditing methodologies. It also includes a detailed security auditing protocol readers can use to devise and implement effective risk-driven security programs that touch all phases of a computing environment. Catalog no. AU7854, January 2010, 871 pp. ISBN: 978-1-4200-7854-1, $79.95 / £49.99
Catalog no. AU5905, 2008, 368 pp. ISBN: 978-1-4200-5905-2, $79.95 / £49.99
4
SAVE 15% when you order online at www.crcpress.com
Security Management
CISO Soft Skills
Information Assurance Architecture Keith D. Willett CTN Technologies, Millersville, Maryland, USA
Since information is the lifeblood of an organization, security professionals must be especially vigilant about assuring it. The hacker, spy, or cyber-thief of today can breach any barrier if it remains unchanged long enough or has even the tiniest leak; consequently, information architecture must be dynamic and fully integrated within all facets of the enterprise. In Information Assurance Architecture, Keith D. Willett draws on his over 25 years of technical, security, and business experience to provide a framework for organizations to align information assurance with the enterprise and their overall mission. This work provides the security industry with the know-how to create a formal information assurance architecture that complements an enterprise architecture, systems engineering, and the enterprise life cycle management (ELCM). The book consists of a framework, a process, and many supporting tools, templates, and methodologies. The framework provides a reference model for the consideration of security in many contexts and from various perspectives; the process provides direction on how to apply that framework. Mr. Willett teaches readers how to identify and use the right tools for the right job. Furthermore, he demonstrates a disciplined approach in thinking about, planning, implementing, and managing security, emphasizing that solid solutions can be made impenetrable when they are seamlessly integrated with the whole of an enterprise. Catalog no. AU8067, 2008, 624 pp. ISBN: 978-0-8493-8067-9, $79.95 / £49.99
Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives Ron Collette and Michael Gentile CISOHandbook.com & Traxx Consulting Services, Newport Beach, California, USA
Skye Gentile Aptos, California, USA
A companion volume to the highly touted CISO Handbook, CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives presents tools that empower security practitioners to identify the intangible negative influencers of security that plague most organizations, and provides further techniques to identify, minimize, and overcome these pitfalls within customized situations. The book discusses the root causes that negatively influence both a CISO and an organization’s ability to truly secure itself. These root causes, also known as security constraints, include: • Employee apathy • Employee myopia or tunnel vision • Employee primacy, often exhibited as office politics • The infancy of the information security discipline The authors provide numerous practical and actionable exercises, tools, and techniques to identify, limit, and compensate for the influence of security constraints in any type of organization. The final chapters discuss some proactive techniques that CISOs can utilize to effectively secure challenging work environments. Reflecting the experience and solutions of those that are in the trenches of modern organizations, this volume provides practical ideas that can make a difference in the daily lives of security practitioners. Catalog no. AU9102, 2009, 288 pp. ISBN: 978-1-4200-8910-3, $69.95 / £44.99
For more information and complete contents, visit www.crcpress.com
5
Security Management New!
Cloud Computing
Information Security
Implementation, Management, and Security
Design, Implementation, Measurement, and Compliance
John W. Rittinghouse Hypersecurity LLC, Houston, Texas, USA
Timothy P. Layton Grover, Missouri, USA
James F. Ransome Cisco Systems, Santa Clara, California, USA
Cloud Computing: Implementation, Management, and Security provides an understanding of what cloud computing really means, examines its advantages and disadvantages, and explores how disruptive it may become in the future. The authors first discuss the evolution of computing from a historical perspective, focusing primarily on advances that led to the development of cloud computing. They then survey some of the critical components that are necessary to make the cloud computing paradigm feasible. They also present standards based on the use and implementation issues surrounding cloud computing and describe the infrastructure management that is maintained by cloud computing service providers. After addressing significant legal and philosophical issues, the book concludes with a hard look at successful cloud computing vendors.
Information Security: Design, Implementation, Measurement, and Compliance outlines a complete roadmap to successful adaptation and implementation of a security program based on the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management. The book first describes a risk assessment model, a detailed risk assessment methodology, and an information security evaluation process. Upon this foundation, the author presents a proposed security baseline for all organizations, an executive summary of the ISO/IEC 17799 standard, and a gap analysis exposing the differences between the recently rescinded version and the newly released version of the standard. Finally, he devotes individual chapters to each of the 11 control areas defined in the standard, systematically covering the 133 controls within the 39 control objectives. Features:
• Discusses how new technologies, such as virtualization, played a huge role in the growth and acceptance of cloud computing • Describes different types of cloud services • Illustrates how to build a cloud network • Presents common standards for application development, messaging, and security • Covers the legal and philosophical issues that must be addressed to properly protect user data and mitigate corporate liability • Examines the successes of several cloud computing vendors and how their achievements have helped shape cloud computing
• Contains a programmatic approach that applies to a business regardless of its size or type • Presents a process that allows firms to shape customized information security practices for their own requirements • Demonstrates how to conduct a risk assessment covering all controls and control objectives • Illustrates how to use data both qualitatively and quantitatively to meet the ISO/IEC 17799 standard • Provides a gap analysis between the first and second editions of the standard to simplify transition to the new one
Catalog no. K10347, January 2010, 340 pp. ISBN: 978-1-4398-0680-7, $79.95 / £49.99
Catalog no. AU7087, 2007, 264 pp. ISBN: 978-0-8493-7087-8, $93.95 / £59.99
Features:
6
SAVE 15% when you order online at www.crcpress.com
Security Management New!
The Executive MBA in Information Security John J. Trinckes, Jr. Hampton, Florida, USA
According to the Brookings Institute, an organization’s information and other intangible assets account for over 80 percent of its market value. As the primary sponsors and implementers of information security programs, those in key leadership positions must possess a solid understanding of the constantly evolving fundamental concepts of information security management. Supplying a complete overview of key concepts, The Executive MBA in Information Security provides the tools needed to ensure an organization has an effective and up-to-date information security management program in place. This one-stop resource provides a ready-to use security framework that can be used to develop workable programs and includes proven tips for avoiding common pitfalls. Allowing for quick and easy reference, this time-saving manual explores: • The difference between information security and IT security • Corporate governance and how it relates to information security • Steps and processes involved in hiring the right information security staff • The different functional areas related to information security • Roles and responsibilities of the chief information security officer (CISO) Presenting difficult concepts in a straightforward manner, this concise guide allows corporate leaders to learn what it takes to develop a rock-solid information security management program that is as flexible as it is secure. Catalog no. K10501, January 2010, 352 pp. ISBN: 978-1-4398-1007-1, $69.95 / £44.99
How to Develop and Implement a Security Master Plan Timothy Giles Newnan, Georgia, USA
How to Develop and Implement a Security Master Plan details how to construct a customized, comprehensive fiveyear corporate security plan that synchronizes with the strategies of any business or institution. The author explains how to develop a plan and implementation strategy that aligns with an organization’s particular philosophies, strategies, goals, programs, and processes. Readers learn how to outline risks and then formulate appropriate mitigation strategies. This guide provides tested, real-world advice on how to: • Conduct an effective, efficient assessment of the site and security personnel, meticulously addressing the particular needs of many different environments • Make decisions about security philosophies, strategies, contract relationships, technology, and equipment replacement • Interview executive and security management to determine their concerns, educate them, and ensure that they buy in to the plan • Use all gathered data to construct and finalize the Security Master Plan and then implement it into the management of the business • Apply insights from an expert with global experience at the highest level Author Tim Giles worked at IBM for 31 years serving as Director of Security for the company’s operations in the United States, Canada, Latin America, and Asia-Pacific. His immeasurable insight and experience provide readers with an extraordinarily comprehensive understanding that they can use to design and execute a highly effective, tailored security program. Catalog no. AU6251, 2009, 352 pp. ISBN: 978-1-4200-8625-6, $79.95 / £49.99
For more information and complete contents, visit www.crcpress.com
7
Security Management Second Edition of a bestseller!
The CISO Handbook
Managing an Information Security and Privacy Awareness and Training Program
A Practical Guide to Securing Your Company Michael Gentile and Ron Collette CISOHandbook.com & Traxx Consulting Services, Newport Beach, California, USA
Second Edition
Tom August Sony Corporation of America, San Diego, California, USA
The CISO Handbook: A Practical Guide to Securing Your Company offers unique insights into designing and implementing an information security program, building a robust framework that enables professionals to map concepts to their company’s environment. The book identifies the elements that drive the need for infosec programs and discusses how to build the foundation of a program and develop an executive mandate along with reporting metrics and an organizational matrix with defined roles and responsibilities. It demonstrates how to construct the policies and procedures to meet identified business objectives, emphasizing the creation of a successful execution model for the implementation of security projects against the backdop of common business constraints. Lastly, it focuses on communicating back to the external and internal stakeholders with information that fits the various audiences.
Rebecca Herold, LLC, Van Meter, Iowa, USA
“Rebecca Herold has the answers in her definitive book on everything everybody needs to know about how to impart security awareness, training, and motivation. Motivation had been missing from the information security lexicon until Herold put it there in most thorough and effective ways… The power of this book also lies in applying real education theory, methods, and practice to teaching security awareness and training … After reading this book, there is no question about the necessary and important roles of security awareness, training, and motivation.” —Donn B. Parker, CISSP, from the Preface
“This book is remarkable because it covers in detail all the facets of providing effective security awareness training … I can, without reservation, recommend use of this book to any organization faced with the need to develop a successful training and awareness program. It surely provides everything you need to know to create a real winner.” —Hal Tipton, from the Foreword
Features: • Presents a comprehensive roadmap for designing and implementing an effective infosec program • Builds a bridge between high-level theory and practical execution • Provides a set of practices that security professionals can use every day • Illustrates practical issues often overlooked by theoretical texts • Outlines a framework that can be expanded or contracted to meet a company’s needs Catalog no. AU1952, 2006, 352 pp. ISBN: 978-0-8493-1952-5, $78.95 / £49.99
8
Rebecca Herold
This volume provides a starting point and an allin-one resource for infosec and privacy education practitioners who are building programs for their organizations. The author applies knowledge obtained through her work in education, creating a comprehensive resource of nearly everything involved with managing an infosec and privacy training course. This book includes examples and tools from a wide range of businesses, enabling readers to select effective components that will be beneficial to their enterprises. The text progresses from the inception of an education program through development, implementation, delivery, and evaluation. Catalog no. K10793, July 2010, c. 528 pp., ISBN: 978-1-4398-1545-8, $79.95 / £49.99
SAVE 15% when you order online at www.crcpress.com
Security Operations Digital Privacy Theory, Technologies, and Practices Edited by
Alessandro Acquisti, Stefanos Gritzalis, Costos Lambrinoudakis, and Sabrina De Capitani di Vimercati While the utilization of personal information can improve customer services, increase revenues, and lower business costs, it can also be easily misused and lead to violations of privacy. According to recent surveys, privacy, and anonymity are the fundamental issues of concern for most internet users, ranked higher than ease-of-use, spam, cost, and security. Reflecting the growing interest in this area, Digital Privacy: Theory, Techniques, and Practices covers state-of-the-art technologies, best practices, and research results, as well as legal, regulatory, and ethical issues. The editors, established researchers whose work enjoys worldwide recognition, draw on contributions from experts in academia, industry, and government to delineate theoretical, technical, and practical aspects of digital privacy. They provide an up-to-date, integrated approach to privacy issues that spells out what digital privacy is, and they cover the threats, rights, and provisions of the legal framework in terms of technical countermeasures for the protection of an individual’s privacy. The work is a thorough exploration of protocols, mechanisms, applications, architectures, systems, and experimental studies. Encompassing a wide range of privacy topics examined by a stellar cast of contributors, this volume provides the foundation for building effective and legal privacy protocols into an organization’s business processes. Catalog no. AU5217, 2008, 496 pp. ISBN: 978-1-4200-5217-6, $73.95 / £46.99
Mechanics of User Identification and Authentication Fundamentals of Identity Management Dobromir Todorov Consultant, Buckinghamshire, UK
User identification and authentication are essential parts of information security. Users must authenticate as they access their computer systems at work or at home every day. Yet do users understand how and why they are actually being authenticated, the security level of the authentication mechanism that they are using, and the potential impacts of selecting one authentication mechanism or another? Introducing key concepts, Mechanics of User Identification and Authentication: Fundamentals of Identity Management outlines the process of controlled access to resources through authentication, authorization, and accounting in an in-depth yet accessible manner. It examines today’s security landscape and the specific threats to user authentication. The book then outlines the process of controlled access to resources and discusses the types of user credentials that can be presented as proof of identity prior to accessing a computer system. It also contains an overview on cryptography that includes the essential approaches and terms required for understanding how user authentication works. This book provides specific information on the user authentication process for both UNIX and Windows. Addressing more advanced applications and services, the author presents common security models such as GSSAPI and discusses authentication architecture. Each method is illustrated with a specific authentication scenario. Catalog no. AU5219, 2007, 760 pp. ISBN: 978-1-4200-5219-0, $83.95 / £53.99
For more information and complete contents, visit www.crcpress.com
9
Security Operations Software Deployment, Updating, and Patching
New!
Vulnerability Management
Bill Stackpole and Patrick Hanrion
Park Foreman
Microsoft Corporation, Redmond, Washington, USA
GroupM, New York, USA
As old as the threat of danger itself, vulnerability management (VM) has been the responsibility of leaders in every human organization. Today, the focus of vulnerability management is still on infrastructure, but as knowledge is power and the lifeblood of any organization is its capacity for quick system-wide response, current emphasis needs to be placed on maintaining the integrity of IT applications. Valuable guidance from an expert with two decades of security experience Written by international security consultant Park Foreman, Vulnerability Management demonstrates a proactive approach. Illustrated with examples drawn from more than two decades of multinational experience, Foreman demonstrates how much easier it is to manage potential weaknesses than to clean up after a violation. He provides the strategic vision and action steps needed to prevent the exploitation of IT security gaps, especially those that are inherent in a larger organization. Features:
The deployment of software patches can be just as challenging as building entirely new workstations. Preparing for the rigors of software deployment includes not just implementing change, but training employees, predicting and mitigating pitfalls, and managing expectations. Software Deployment, Updating, and Patching provides the skills needed to develop a comprehensive strategy for tracking and managing system configurations, as well as for updating and securing systems with the latest packs and patches. Written by two of Microsoft’s top experts, this clear and concise manual demonstrates how to perform inventories of IT assets, test compatibility, target deployment, and evaluate management technologies. It also shows how to create and implement deployment plans with recovery and remediation options, and how to recognize potential vulnerabilities. Empowering businesses to develop a comprehensive strategy for managing, updating, and securing essential systems, this volume:
• Offers the guidance needed to develop and personalize a VM management program • Goes far beyond the obvious to cover those areas often neglected, as well as those that are actually less secure than they might appear • Demonstrates a host of proven methods to assess and reduce the potential for exploitation from within as well as by outsiders • Provides detailed checklists used by the author
• Demonstrates how to implement system configuration management • Explains software updating and patch management strategies • Illustrates how to take inventory of IT assets and identify old versions and potential vulnerabilities • Shows how to test updates and patches to verify functionality, stability, and compatibility • Allows readers to create and execute a deployment plan with recovery and remediation options
Catalog no. K10093, January 2010, 347 pp. ISBN: 978-1-4398-0150-5, $79.95 / £48.99
Catalog no. AU5800, 2008, 424 pp. ISBN: 978-0-8493-5800-5, $83.95 / £53.99
10
SAVE 15% when you order online at www.crcpress.com
Security Operations Security in an IPv6 Environment Daniel Minoli SES Engineering, Princeton, New Jersey, USA
Jake Kouns Markel Corporation, Glen Allen, Virginia, USA
As Internet Protocol Version 6 (IPv6) becomes an institutional imperative, questions emerge about the security of an IPv6-based architecture and the strategies for transition from IPv4. A practical primer, Security in an IPv6 Environment discusses IPv6 security vulnerabilities, considerations, mechanisms, and approaches. Surveying methods used to ensure a reliable and controlled IPv6 migration, this volume: • Explains the IPSec Authentication Header (AH) and Encapsulating Security Protocol (ESP), and the use of these protocols in IPv6 environments • Elaborates on IPv6 addressing security, extension headers and fragmentation, neighbor discovery issues, DNS issues, NATs, packet filtering, and Teredo • Examines firewall use in IPv6 environments, including use of host-based and distributed firewalls An increasing amount of mission-critical commercial and military operations are supported by distributed, mobile, always-connected, hybrid public-private networks, especially IPv6based networks. The growing number of attackers or inimical agents means that all computing environments must have high-assurance security mechanisms. This comprehensive book explains why security savvy is indispensible, and includes considerations for mixed IPv4 and IPv6 migration environments. More than an exhaustive treatment of IPv6 and security topics, this book is a point of departure for anyone adjusting to this technological transition and the subtending security considerations. Catalog no. AU2294, 2009, 288 pp. ISBN: 978-1-4200-9229-5, $79.95 / £49.99
New!
Building an Enterprise-Wide Business Continuity Program Kelley Okolita MBCP (Master Business Continuity Planner), Worcester, Massachusetts, USA
Drawing on over two decades of experience creating continuity plans and using them in actual recoveries, Kelley Okolita goes beyond theory to provide planners with the tools needed to build a continuity program in any enterprise. The book offers guidance on each step of the process, including how to validate the plan, time-tested tips for keeping the plan action-ready over the course of time, and how to sell the program to senior leadership. Catalog no. AU8645, January 2010, 344 pp. ISBN: 978-1-4200-8864-9, $79.95 / £49.99
Enterprise Systems Backup and Recovery A Corporate Insurance Policy Preston de Guise IDATA Pty Ltd., Sydney, Australia
This book recommends corporate procedures and policies that need to be established for comprehensive data protection. Suitable for any organization, regardless of what operating systems or applications are deployed, what backup system is in place, or what planning has been done for business continuity, the book explains how backup must be included in every phase of system planning, development, operation, and maintenance. It also provides techniques for analyzing and improving current backup system performance. Catalog no. AU6396, 2009, 308 pp., Soft Cover, ISBN: 978-1-4200-7639-4, $69.95 / £44.99
For more information and complete contents, visit www.crcpress.com
11
(ISC)2 Press Bestseller!
CISO Leadership
Building and Implementing a Security Certification and Accreditation Program
Essential Principles for Success
OFFICIAL (ISC) CAPcm CBK®
2®
GUIDE to the
Edited by
Todd Fitzgerald, CISSP, CISA, CISM Milwaukee, Wisconsin, USA
Micki Krause, CISSP Pacific Life Insurance Company, Newport Beach, California, USA
Patrick D. Howard Nuclear Regulatory Commission, USA
Demonstrates the effectiveness of certification and accreditation (C&A) as a risk management methodology for IT systems in public and private organizations
Describes the management skills needed by aspiring senior security executives Catalog no. AU7943, 2008, 312 pp. ISBN: 978-0-8493-7943-7, $73.95 / £46.99
Catalog no. AU2062, 2006, 344 pp. ISBN: 978-0-8493-2062-0, $93.95 / £59.99
New!
Official (ISC)2® Guide to the CISSP® CBK® Bestseller!
Second Edition
Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®
Edited by
Edited by
Kevin Henry
Susan Hansche, CISSP-ISSEP PEC Solutions, Fairfax, Virginia, USA
North Gower, Canada
An inclusive analysis of all of the topics covered on the ISSEP Exam
Harold F. Tipton HFT Associates, Villa Park, California, USA
Includes a CD-ROM with sample exams Catalog no. K10480, January 2010, 965 pp. ISBN: 978-1-4398-0959-4, $69.95 / £44.99
Catalog no. AU2341, 2006, 1024 pp. ISBN: 978-0-8493-2341-6, $73.95 / £46.99
Coming Soon!
Official (ISC)2 Guide to the SSCP® CBK®
Official (ISC)2® Guide to the ISSAP® CBK® Edited by
Harold F. Tipton
Edited by
HFT Associates, Villa Park, California, USA
Diana-Lynn Contesti, Douglas Andre, Eric Waxvik, Paul A. Henry, and Bonnie A. Goins
Kevin Henry
Explores the seven domains of the CBK Catalog no. AU2774, 2007, 608 pp. ISBN: 978-0-8493-2774-2, $62.95 / £39.99
12
(ISC)2 Institute, North Gower, Ontario, Canada
Assures competence of the six major domains of the Information Systems Security Architecture Professional (ISSAP) Concentration Catalog no. K10073, June 2010, c. 500 pp. ISBN: 978-1-4398-0093-5, $79.95 / £49.99
SAVE 15% when you order online at www.crcpress.com
Information Security Management Handbook Information Security Management Handbook Sixth Edition, Volume 3 Edited by
Harold F. Tipton, CISSP HFT Associates, Villa Park, California, USA
Micki Krause, CISSP Pacific Life Insurance Company, Newport Beach, California, USA
Every year, in response to new technologies and new laws in different countries and regions, there are changes to the fundamental knowledge, skills, techniques, and tools required by all IT security professionals. In step with the lightning-quick, increasingly fast pace of change in the technology field, the Information Security Management Handbook has become the standard on which all IT security programs and certifications are based. It reflects new updates to the Common Body of Knowledge (CBK®) that IT security professionals all over the globe need to know. The Sixth Edition, Volume 3 is as a stand-alone reference and also updates the 3280-page benchmark Volume 1.
Captures the crucial elements of the CBK Exploring the ten domains of the CBK, the book explores access control, telecommunications and network security, information security and risk management, application security, and cryptography. In addition, the expert contributors address security architecture and design, operations security, business continuity planning, and disaster recovery planning. The book also covers legal regulations, compliance, investigation, and physical security. In this anthology of treatises dealing with the management and technical facets of information security, the contributors examine varied topics such as anywhere computing, virtualization, podslurping, quantum computing, mashups, blue snarfing, mobile device theft, social computing, voting machine insecurity, and format string vulnerabilities. Catalog no. AU0925, 2009, 392 pp., ISBN: 978-1-4200-9092-5, $99.95 / £60.99 Also Available
Bestseller!
Information Security Management Handbook Sixth Edition, Volume 1 Catalog no. AU7495, 2007, 3280 pp., ISBN: 978-0-8493-7495-1, $199.95 / £121.00
Information Security Management Handbook Sixth Edition, Volume 2 Catalog no. AU6708, 2008, 456 pp., ISBN: 978-1-4200-6708-8, $99.95 / £63.99
New! Get all 3 volumes on CD-ROM!
Information Security Management Handbook 2009 CD-ROM Edition The multi-volume set of the Information Security Management Handbook is now available on CD-ROM. Containing the complete contents of the set, it offers a resource that is portable, linked, and searchable by keyword, and is organized under the CISSP® Common Body of Knowledge (CBK®) domains. Inaddition to an electronic version of the most comprehensive resource for information security management, this CD-ROM contains an extra volume’s worth of information, including chapters from other security and networking books that have never appeared in the print editions and cannot found anywhere else. Exportable text and hard copies are available at the click of a mouse. Catalog no. AU0984, January 2010, CD-ROM, ISBN: 978-1-4200-9098-7, $199.95 / £127.00
For more information and complete contents, visit www.crcpress.com
13
Physical Security Bestseller!
New!
Intelligent Network Video
Intelligent Video Surveillance
Understanding Modern Video Surveillance Systems
Systems and Technology
Fredrik Nilsson
Edited by
Axis Communications Inc., Chelmsford, Massachusetts, USA
Yunqian Ma
This resource provides detailed coverage of advanced digital networking and intelligent video capabilities and optimization. It addresses general concepts, explains why IP-based systems provide better quality at a lower cost, and provides current information on cameras and DVRs. It also discusses frame rate control, indoor/outdoor installations, and MPEG-4 and other digital video formats. The book is accompanied by a CD-ROM containing tools for deploying and optimizing an installation. Catalog no. AU6156, 2009, 416 pp. ISBN: 978-1-4200-6156-7, $79.95 / £49.99
Honeywell International, Inc., Minnesota, USA
Gang Qian Arizona State University, Tempe, USA
The latest implementation of surveillance cameras includes advanced video systems that can autonomously recognize people, detect movements, and identify targeted activities in realtime. In response to such technology, this book examines the fundamental principles of current intelligent video surveillance systems. Providing a comprehensive look at the algorithmic design and system implementation for intelligent video surveillance, the authors cover computational principles and practical applications of present and future systems. Catalog no. K10681, January 2010, 590 pp. ISBN: 978-1-4398-1328-7, $119.95 / £72.99
21st Century Security and CPTED
Critical Infrastructure
Designing for Critical Infrastructure Protection and Crime Prevention
Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies
Randall I. Atlas Atlas Safety and Security Design, Inc., Fort Lauderdale, Florida, USA
Tyson Macaulay
Offering important insight into concerns about violence and terrorism, this volume examines current trends in the developing field of Crime Prevention through Environmental Design (CPTED). Highly relevant to critical infrastructure protection, the book addresses application of CPTED to highsecurity environments, as well as public and private sector buildings. Facilitating understanding across fields, each chapter includes references and web links for further study. Catalog no. AU6807, 2008, 560 pp. ISBN: 978-1-4200-6807-8, $89.95 / £57.99
14
CISSIP, CISA, ISSPCS, Ottawa, Ontario, Canada
Moving beyond definitions, this volume looks at the “iron triangle” within critical infrastructures: power, telecom, and finance. It introduces the concept of CIs as industrial and enterprise “risk conductors,” highlighting the fact that a CI failure can propagate an impact throughout an enterprise. This text rethinks the concept of a CI according to contemporary factors, providing guidance for mitigating risk within the framework of national economies. Catalog no. AU6835, 2009, 344 pp. ISBN: 978-1-4200-6835-1, $79.95 / £49.99
SAVE 15% when you order online at www.crcpress.com
Application Security Application SecuritySecurity Software Development Assessing and Managing Security Risks
Architecting Secure Software Systems Asoke K. Talukder SRIT House, Kundalahalli, Bangalore, India
Douglas A. Ashbaugh
Manish Chaitanya
Software Engineering Services, West Des Moines, Iowa, USA
Irving, Texas, USA
Secure Software Development: Assessing and Managing Security Risks illustrates how software application security can be best and most cost-effectively achieved when developers monitor and regulate risks early on, integrating assessment and management into the development life cycle. Drawing from the author’s extensive experience as a developer, this volume examines current trends as well as problems that have plagued software security for more than a decade. Helping readers understand the security environment and the need for safety measures, the book:
Through the use of examples, this volume defines a myriad of security vulnerabilities and their resultant threats. It details how to do a security requirement analysis and outlines the security development lifecycle. The authors examine security architectures and threat countermeasures for UNIX, .NET, Java, mobile, and web environments. Finally, they explore the security of telecommunications and other distributed services through Service Oriented Architecture (SOA). Catalog no. AU7843, 2009, 446 pp. ISBN: 978-1-4200-8784-0, $59.95 / £38.99
• Explains the fundamental terms related to the security process • Outlines and compares various techniques for assessing, identifying, and managing security risks and vulnerabilities, with step-by-step instruction on how to execute each approach • Elaborates on the pros and cons of each method, phase by phase, to help readers select the one that best suits their needs Despite decades of extraordinary growth in software development, many open-source, government, regulatory, and industry organizations have been slow to adopt new application safety controls, hesitant to take on the added expense. This book improves understanding of the security environment and the need for safety measures. It shows readers how to analyze relevant threats to their applications and then implement time- and money-saving techniques to safeguard them. Catalog no. AU6380, 2009, 321 pp. ISBN: 978-1-4200-6380-6, $79.95 / £49.99
Testing Code Security Maura A. van der Linden Microsoft, Snohomish, Washington, USA
Written in simple, straightforward terms, this text is a consolidated resource designed to teach the basic software security concepts required to conduct relevant and effective tests. Offering real-life examples that are not platform- or operating system-dependant, it presents foundation concepts, process and approach in security testing, security test planning, threat-modeling, and specific root vulnerability problems with instructions on how to test for them. Catalog no. AU9251, 2007, 328 pp. ISBN: 978-0-8493-9251-1, $83.95 / £53.99
For more information and complete contents, visit www.crcpress.com
15
Computer Forensics Computer Forensics
Cyber Forensics A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition
Evidence Collection and Management Robert C. Newman Georgia Southern University, Statesboro, USA
Focusing on numerous vulnerabilities and threats that are inherent on the internet and networking environments, Computer Forensics: Evidence Collection and Management examines activities that can be used to exploit the internet, computers, and electronic devices. Divided into two major sections, the first part explores various crimes, laws, policies, forensic tools, and the information needed to understand the underlying concepts of computer forensic investigations. The second section presents information relating to crime scene investigations and management, disk and file structure, laboratory construction and functions, and legal testimony. Separate chapters focus on investigations involving computer systems, e-mail, and wireless devices. Features: • Presents more than 200 key terms throughout the book, with definitions supplied in the glossary • Contains over 100 review questions and answers that help solidify comprehension • Offers optional exercises and cases that emphasize the book’s content • Provides two sets of forms: the first for guiding readers through a forensic investigation and the second for guiding them through the procedures used in computer forensic laboratories • Contains a selected bibliography with resources beneficial to forensic professionals Offering a wealth of knowledge, the book presents techniques and suggestions for corporate security personnel, investigators, and forensic examiners to successfully identify, retrieve, and protect valuable forensic evidence for litigation and prosecution. Catalog no. AU0561, 2007, 432 pp. ISBN: 978-0-8493-0561-0, $83.95 / £53.99
16
Albert Marcella, Jr. CISA Business Automation Consultants, LLC, Ballwin, Missouri, USA
Doug Menendez CISA, Saint Louis, Missouri, USA
Designed as an introduction and overview to the field, Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition integrates theory and practice to present the policies, procedures, methodologies, and legal ramifications and implications of a cyber forensic investigation. The authors guide readers step-by-step through the basics of investigation and introduce the tools and procedures required to legally seize and forensically evaluate a suspect machine. Features: • Updates and expands information on concealment techniques, new technologies, hardware, software, and relevant new legislation • Details the ability of cyber forensics to reveal and track legal and illegal activity • Describes how to begin an investigation and employ investigative methodology • Explains rules of evidence and chain of custody within both the local and federal legal framework • Discusses standard operating procedures for cyber forensic investigation in the field and laboratory • Evaluates the current data security and integrity exposure of multifunctional devices • Establishes a flowchart for the seizure of electronic evidence An extensive list of appendices provides valuable “hands-on” information including websites, organizations, pertinent legislation, further readings, and best practice recommendations. Catalog no. AU8328, 2008, 528 pp. ISBN: 978-0-8493-8328-1, $73.95 / £46.99
SAVE 15% when you order online at www.crcpress.com
Computer Forensics
Wireless Crime and Forensic Investigation Gregory Kipper
Practical Hacking Techniques and Countermeasures
Computer Security Innovations, Herndon, Virginia, USA
Mark D. Spivey, CISSP
From short text messaging to war driving, Wireless Crime and Forensic Investigation explores all aspects of wireless technology, how it is used in daily life, and how it will be used in the future. The book provides a onestop resource on the types of wireless crimes that are being committed and forensic investigation techniques for wireless devices and wireless networks. The author’s straightforward and easy-to-read style seamlessly integrates the topics of wireless security and computer forensics. He provides a solid understanding of modern wireless technologies, wireless security techniques, wireless crime techniques, and forensic analysis on wireless devices and networks. Each chapter, while part of a greater whole, can stand alone.
Examining computer security from the hacker’s perspective, Practical Hacking Techniques and Countermeasures employs the use of virtual computers to illustrate how an attack is executed, including the script, compilation, and results. Readers can experiment firsthand with hacking techniques without the fear of corrupting computers or violating existing laws.
With a problem space as big and complex as wireless, proactive measures must be implemented immediately. To protect an organization, security professionals must be well versed in the new technology sooner rather than later. This book not only has all the information required to become proficient in wireless technology, but also provides the information required for conducting a forensic analysis in a wireless environment. Catalog no. AU3188, 2007, 280 pp. ISBN: 978-0-8493-3188-6, $83.95 / £53.99
Consultant, Tomball, Texas, USA
The book’s easy-to-use lab manual presentation begins with instructions on how to install VMware® Workstation and proceeds to guide users through detailed hacking labs enabling them to experience what a hacker actually does during an attack. The labs cover social engineering techniques, footprinting techniques, and scanning tools. Later labs examine spoofing and sniffing techniques, password cracking, and attack tools. Identifying wireless attacks, this manual also explores Trojans, Man-in-the-Middle (MTM) and Denial of Service (DoS) attacks. Features: • Provides detailed examples of attacks on Windows and Linux • Contains more than 1100 screenshots for easily verified results • Details Linux script compilation and use • Lists the complete syntax for tools used throughout the book • Includes an accompanying CD-ROM with the tools to duplicate each lab Catalog no. AU7057, 2007, 752 pp. ISBN: 978-0-8493-7057-1, $83.95 / £53.99
For more information and complete contents, visit www.crcpress.com
17
Audit IT Auditing and Sarbanes-Oxley Compliance
Information Technology Control and Audit
Key Strategies for Business Improvement
Third Edition Sandra Senft and Frederick Gallegos
Dimitris N. Chorafas Consultant for Major Corporations, France & Switzerland
California State Polytechnic University, Pomona, USA
Information technology auditing and Sarbanes-Oxley compliance have several overlapping characteristics. They both require ethical accounting practices, focused auditing activities, a functioning system of internal control, and a close watch by the board’s audit committee and CEO. Written as a contribution to the accounting and auditing professions as well as to IT practitioners, IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business Improvement links these two key business strategies and explains how to perform IT auditing in a comprehensive and strategic manner.
Now in its third edition, this book is an introductory reference to IT governance, control, and auditing. It reviews pertinent legislation, discusses the future of auditing in the 21st century, and examines strategy and standards, and acquisition and implementation. It explores delivery and support and reviews advanced topics such as virtual environment, virtual security, e-commerce, and enterprise resource planning. It also includes guidelines for preparing for the CISA Exam. Catalog no. AU6550, 2009, 774 pp. ISBN: 978-1-4200-6550-3, $89.95 / £57.99
Proper auditing as a means to greater solvency Drawing on 46 years of experience as a consultant to the boards of major corporations in manufacturing and banking, the author addresses objectives, practices, and business opportunities expected from auditing information systems. Topics discussed include the concept of internal control, auditing functions, internal and external auditors, and the responsibilities of the board of directors. The book uses several case studies to illustrate and clarify the material. Its chapters analyze the underlying reasons for failures in IT projects and how they can be avoided, examine critical technical questions concerning information technology, discuss problems related to system reliability and response time, and explore issues of compliance. Catalog no. AU6170, 2009, 305 pp. ISBN: 978-1-4200-8617-1, $89.95 / £57.99
HOWTO Secure and Audit Oracle 10g and 11g Ron Ben-Natan CTO, Guardium Inc., Waltham, Massachusetts, USA
Demonstrating how to secure sensitive data and comply with audit regulations using Oracle 10g and 11g, this volume provides the hands-on guidance required to understand the complex options provided by Oracle and the know-how to choose the best option for a particular case. The book presents specific sequences of actions that should be taken to enable, configure, or administer security-related features. It includes best practices in securing Oracle and on Oracle security options and products. Catalog no. AU4127, 2009, 470 pp. ISBN: 978-1-4200-8412-2, $69.95 / £42.99
18
SAVE 15% when you order online at www.crcpress.com
Governance, Risk and Compliance
How to Complete a Risk Assessment in 5 Days or Less Thomas R. Peltier Thomas R. Peltier Associates, LLC, Wyandotte, Michigan, USA
Successful security professionals have had to modify the process of responding to new threats in the high-profile, ultra-connected business environment. But just because a threat exists does not mean that an organization is at risk. This is what risk assessment is all about. How to Complete a Risk Assessment in 5 Days or Less demonstrates how to identify threats a company faces and then determine if those threats pose a real risk to the organization. With more than 350 pages of helpful ancillary materials, this volume effectively: • Presents and explains the key components of risk management • Shows how a cost-benefit analysis is part of risk management and how this analysis is performed as part of risk mitigation • Explains how to draw up an action plan to protect the assets of an organization when the risk assessment process concludes • Examines the difference between a Gap Analysis and a Security or Controls Assessment
How to Achieve 27001 Certification An Example of Applied Compliance Management Sigurjon Thor Arnason Social Insurance Administration, Reykjavik, Iceland
Keith D. Willett CTN Technologies, Millersville, Maryland, USA
The security criteria of the International Standards Organization (ISO) provides an excellent foundation for identifying and addressing business risks through a disciplined security management process. Using security standards ISO 17799 and ISO 27001 as a basis, How to Achieve 27001 Certification: An Example of Applied Compliance Management helps an organization align its security and organizational goals so it can generate effective security, compliance, and management programs. The authors offer insight from their own experiences, providing questions and answers to determine an organization’s information security strengths and weaknesses with respect to the standard. They also present step-by-step information to help an organization plan an implementation, as well as prepare for certification and audit. Detailed protocol from the experts
A one-stop, how-to resource for industry and academia professionals, this authoritative reference provides the knowledge base and the skill set necessary to achieve a speedy, yet highly effective risk analysis assessment in a matter of days.
Security is no longer a luxury for an organization; it is a legislative mandate. A formal methodology that helps an organization define and execute an ISMS is essential in order to perform and prove due diligence in upholding stakeholder interests and legislative compliance. Providing a good starting point for novices, as well as finely tuned nuances for seasoned security professionals, this book is an invaluable resource for anyone involved with meeting an organization’s security, certification, and compliance needs.
Catalog no. AU6275, 2009, 444 pp. ISBN: 978-1-4200-6275-5, $79.95 / £49.99
Catalog no. AU3648, 2008, 352 pp. ISBN: 978-0-8493-3648-5, $83.95 / £53.99
• Presents case studies and examples of all risk management components
For more information and complete contents, visit www.crcpress.com
19
Governance, Risk and Compliance Bestseller!
Oracle Identity Management
The Security Risk Assessment Handbook
Governance, Risk, and Compliance Architecture, Third Edition
A Complete Guide for Performing Security Risk Assessments
Marlin B. Pohlman Oracle Corporation, Redwood Shores, California, USA
Douglas J. Landoll
Oracle Identity Management: Governance, Risk, and Compliance Architecture is the definitive guide for corporate stewards who are struggling with the challenge of meeting regulatory compliance pressures while embarking on the path of process and system remediation. The text is written by Marlin Pohlman, a director with Oracle who is recognized as one of the primary educators worldwide on identity management, regulatory compliance, and corporate governance. In the book’s first chapters, Dr. Pohlman examines multinational regulations and delves into the nature of governance, risk, and compliance. He also cites common standards, illustrating a number of well-known compliance frameworks. He then focuses on specific software components that will enable secure business operations. To complete the picture, he discusses elements of the Oracle architecture, which permit reporting essential to the regulatory compliance process, and the vaulting solutions and data hubs, which collect, enforce, and store policy information. Using illustrative case studies, this work teaches corporation stewards how to: • Attain and maintain high levels of integrity • Eliminate redundancy and excessive expense in identity management • Map solutions directly to region and legislation • Hold providers accountable for contracted services Catalog no. AU7247, 2008, 552 pp., Soft Cover, ISBN: 978-1-4200-7247-1, $69.95 / £44.99
En Pointe Technologies, Austin, Texas, USA
Providing detailed insight into precisely how to conduct an information security risk assessment, this volume contains real-world advice that promotes professional development and experience. It enables security consumers to better negotiate the scope and rigor of a security assessment, effectively interface with a security assessment team, deliver insightful comments on a draft report, and have a greater understanding of final report recommendations. The book is filled with charts, checklists, examples, and templates. Catalog no. AU2998, 2006, 504 pp. ISBN: 978-0-8493-2998-2, $83.95 / £53.99
Bestseller!
A Practical Guide to Security Assessments Sudhanshu Kairab Amper, Politziner, & Mattia, P.C., New Jersey, USA
Taking a process-focused approach, this volume presents a structured methodology for conducting assessments. The key element of the methodology is an understanding of business goals and processes, and how security measures are aligned with business risks. The methodology described serves as a foundation for building and maintaining an information security program. The book includes an Appendix that contains questionnaires that can be modified and used to conduct security assessments. Catalog no. AU1706, 2005, 520 pp. ISBN: 978-0-8493-1706-4, $83.95 / £53.99
20
SAVE 15% when you order online at www.crcpress.com
Governance, Risk and Compliance Malicious Bots An Inside Look into the Cyber-Criminal Underground of the Internet Ken Dunham and Jim Melnick iSIGHT Partners, Inc., Dallas, Texas, USA
Computerized bots have increasingly been used maliciously by online criminals in mass spamming events, fraud, extortion, identity theft, and software theft. Written by Ken Dunham and Jim Melnick, who serve on the front line of critical cyber-attacks and countermeasures as experts in the deployment of geopolitical and technical bots, Malicious Bots: An Inside Look into the CyberCriminal Underground of the Internet explores the rise of dangerous bots and exposes the nefarious methods of bot herders. This volume provides in-depth coverage of the top bot attacks against financial and government networks over the last several years. The book presents exclusive details of the operation of the notorious Thr34t Krew, one of the most malicious bot herder groups in recent history. For the first time, this story is publicly revealed, showing how the bot herders got arrested, along with details on other bots in the wild today. With unprecedented detail, the book goes on to explain step-by-step how a hacker launches a botnet attack, providing specifics that only those entrenched in the cyber-crime investigation world could possibly offer. By examining the methods of the internet predators, information security managers will be better armed against these cybercriminals and better able to more proactively protect their own networks from such attacks. Catalog no. AU6903, 2009, 168 pp. ISBN: 978-1-4200-6903-7, $59.95 / £38.99
System Defense Insider Computer Fraud An In-depth Framework for Detecting and Defending against Insider IT Attacks Kenneth Brancik Information Security Consultant, New York, USA
An organization’s employees are often more intimate with its computer system than anyone else. Many also have access to sensitive information regarding the company and its customers. This makes disgruntled or greedy employees prime candidates for sabotaging a system or selling privileged information. Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT Attacks presents the methods, safeguards, and techniques that help protect an organization from insider computer fraud. Drawing from the author’s vast experience assessing the adequacy of IT security for the banking and securities industries, the book presents a practical framework for identifying, measuring, monitoring, and controlling the risks associated with insider threats. It not only provides an analysis of application or systemrelated risks, it demonstrates the interrelationships that exist between an application and the IT infrastructure components it uses to transmit, process, and store sensitive data. The author also examines the symbiotic relationship between the risks, controls, threats, and action plans that should be deployed to enhance the overall information security governance processes. Increasing the awareness and understanding necessary to effectively manage the risks and controls associated with an insider threat, this book is an invaluable resource for those interested in attaining sound and best practices over the risk management process. Catalog no. AU4659, 2008, 504 pp. ISBN: 978-1-4200-4659-5, $83.95 / £53.99
For more information and complete contents, visit www.crcpress.com
21
System Defense
The Ethical Hack
Cyber Fraud Tactics, Techniques and Procedures James Graham One of the most important challenges of the 21st century, cybercrime has evolved from a minor nuisance to a major concern involving well-organized actors and highly sophisticated organizations. Cyber Fraud: Tactics, Techniques, and Procedures documents changes in the culture of cyber criminals and explores the innovations that are the result of those changes. Features: • Examines economic vulnerability models in the market and analyzes how they affect vendors, end users, and vulnerability researchers • Outlines a conceptual model of the structures, functions, and roles of actors and organizations within this illicit marketplace • Addresses the developing maturity of malcode communication and the preventative measures organizations can take • Discusses Trojan software used to target the financial sector • Outlines the necessary countermeasure expenditures that should be considered by organizations This eye-opening work includes a variety of case studies, including the cyber threat landscape in Russia and Brazil. An in-depth discussion is provided on the Russian Business Network’s (RBN) role in global cyber crime as well as new evidence on how these criminals steal, package, buy, sell, and profit from the personal financial information of consumers. Armed with this invaluable information, organizations and individuals are better able to secure their systems and develop countermeasures to disrupt underground fraud.
A Framework for Business Value Penetration Testing James S. Tiller BT INS, Raleigh, North Carolina, USA
“ … explains not only why ethical hacks are viable, but also why they are critical. … [This] is one of the most complete books on penetration testing available.” —Security Management
“ … an outstanding book that describes in detail the right way to conduct a thorough penetration test. … our industry needs a base line of solid practices to help separate the professionals from the charlatans. Jim’s book describes such practices, including the policies, procedures, and technical insights that come from years of in-the-trenches experience.” —Ed Skoudis, VP of Security Strategy, Global Integrity, from the Foreword
“This book differentiates itself by presenting a structured approach to testing an organization’s security…Tiller’s writing style makes the book easy to follow, and he uses plenty of real-world examples… “ —IEEE Security & Privacy
This book explains the methodologies and framework that ethical hacks should employ to provide the maximum value to organizations that want to strengthen their security. It addresses the processes and rules of engagement for successful tests and shows how testing ramifications affect an entire organization. Security practitioners can use this book to reduce their exposure and deliver better service, while organizations will learn how to align information about tools, techniques, and vulnerabilities with their business objectives. Catalog no. AU1609, 2005, 352 pp. ISBN: 978-0-8493-1609-8, $78.95 / £49.99
Catalog no. AU9127, 2009, c. 520 pp. ISBN: 978-1-4200-9127-4, $79.95 / £48.99
22
SAVE 15% when you order online at www.crcpress.com
Call us about different subscription options
SAVE 15%!
Use this Promo Code when ordering to
6000 Broken Sound Parkway, NW, Suite 300 Boca Raton, FL 33487, USA
Page 5
Page 3
For a complete list of IT Security titles, please visit www.crcpress.com
Page 7
Presorted Standard US Postage PAID Permit 382 South Holland IL