IST-456 Security Management

 

Resources

 

These Web-based resources are provided as value-added for IST-456. The resources have been compiled by DR. Gerry Santoro, often with the aid of IST-456 students. The resources are optional reading. They are roughly arranged into categories, although in some cases the categorization may be rough. These resources are obtained from government sources, industry sources, Web sites and white papers. I will constantly add resources to this site. Contributions are always welcomed!

 

An excellent source of information is the SANS Information Security Reading Room. Some of the papers are listed in the topics below.

 

Penn State Resources

 

         Penn State Center for Cyber-Security, Information Privacy and Trust - http://cybersecurity.ist.psu.edu/index.php

         Penn State Cyber-Security Lab - http://s2.ist.psu.edu/

 

 

US Government Resources

 

NOTE: Some of these, such as NIST documents, may be listed below in topical areas.

 

         NSA Information Assurance advice and resources - http://www.nsa.gov/ia/mitigation_guidance/index.shtml

         US Computer Emergency Readiness Team -- http://www.us-cert.gov/

         Complete list of NIST Information Security Publications -- http://csrc.nist.gov/publications/PubsTC.html

         NICCS National Initiative for Cybersecurity Careers and Studies - http://niccs.us-cert.gov/

 

 

Hacking Educational Resources

 

Security professionals must understand how systems are attacked and compromised in order to effectively protect those systems. Following is a list of Web sites that provide learning resources for ethical hacking.

 

         Hack This Site - https://www.hackthissite.org/

         Hack This! - https://www.hackthis.co.uk/

         Hack in the Box - http://www.hitb.org/

         Hack a Day - http://hackaday.com/

         Evil Zone - https://evilzone.org/

 

 

 

General Resources

 

         A Risk Maagement Reading List -- http://fcw.com/articles/2012/10/23/risk-management-reading-list-nist.aspx

         US Computer Emergency Readiness Team -- http://www.us-cert.gov/

         Security Tube -- http://www.securitytube.net/

         IT Security White Papers -- http://www.itwhitepapers.com/technology/security

 

Security Blogs

         Bruce Schneier Crypt-O-Gram -- http://www.schneier.com/crypto-gram.html

         Secure State Blog -- http://blog.securestate.com/

         Krebs on Security -- http://krebsonsecurity.com/

 

 

 

Planning for Security and Contingencies

 

         Contingency Planning Guide for Federal Information Systems -- http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

         Guide for Developing Security Plans for Federal Information Systems -- http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf

         Computer Security Incidents: Assessing, Managing, And Controlling The Risks - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/b-01-04.pdf

         Techniques for System and Data Recovery - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/04-02.pdf

         System and Network Security Acronyms and Abbreviations -- http://csrc.nist.gov/publications/nistir/ir7581/nistir-7581.pdf

         Guide to Integrating Forensic Techniques into Incident Response -- http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

         Office of the President of the United States: International Strategy for Cyberspace -- http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

 

 

Information Security Policy

 

         Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) -- http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

         Information Security Guide For Government Executives -- http://csrc.nist.gov/publications/nistir/ir7359/CSD_ExecGuide-booklet.pdf

         Commercial product Security Policiers Made Easy -- http://www.informationshield.com/ispmemain.htm

 

 

Developing the Security Program

 

         Building an Information Technology Security Awareness and Training Program -- http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

         An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule -- http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

         Implementing an Effective IT Security Program (SANS) -- http://www.sans.org/reading_room/whitepapers/bestprac/implementing-effective-security-program_80

         Creating the Effective Security Awareness Program -- http://www.sans.org/reading_room/whitepapers/awareness/creating-effective-security-awareness-program-demonstration_1079

         Building a Security Awareness Program -- http://www.gideonrasmussen.com/article-01.html

         Success Strategies for Security Awareness -- http://www.techrepublic.com/article/success-strategies-for-security-awareness/5193710

 

 

Security Management Models

 

         Minimum Security Requirements for Federal Information and Information Systems -- http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

         Standards for Security Categorization of Federal Information and Information Systems -- http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

         An Overview Of The Common Criteria Evaluation And Validation Scheme - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/10-00.pdf

         Systemic Security Management: The ICIIP Model -- http://www.cisspzone.com/cissp-practice-test/

 

 

Security Management Practices

 

         Guide for Security-Focused Configuration Management of Information Systems -- http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf

         Technical Guide to Information Security Testing and Assessment -- http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

         IT Security Metrics - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/bulletin08-03.pdf

         Information Security Continuous Monitoring for Federal Information Systems and Organizations -- http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf

         Security Guide for Interconnecting Information Technology Systems -- http://csrc.nist.gov/publications/nistpubs/800-47/sp800-47.pdf

         Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach -- http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

         Comparison of Security Management Practices -- http://www.giac.org/cissp-papers/407.pdf

         Information Security Program Guide for State Agencies California Office of Information Security and Privacy Protection -- http://www.sans.org/reading_room/whitepapers/bestprac/implementing-effective-security-program_80

 

 

Risk Management: Identifying and Controlling Risk

 

         Recommended Security Controls for Federal Information Systems and Organizations -- http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

         Specification for Asset Identification 1.1 -- http://csrc.nist.gov/publications/nistir/ir7693/NISTIR-7693.pdf

         Secure Hash Standard (SHS) -- http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf

         GIAC G2700 Certified ISO-27000 Specialist -- http://www.giac.org/certification/certified-iso-27000-specialist-g2700

         ISO-2700 Central -- http://www.17799central.com/

         History of ISO-27000 Standards -- http://www.27000.org/thepast.htm

         Many resources for IST-27000 Standards -- http://www.iso27001security.com/html/iso27000.html

 

         ESIS Open Source Executive Security Information System - http://esis.sourceforge.net/ESIS/Home.html

         Consulare Wiki for ESIS - http://www.consulare.ch/apps/mediawiki/index.php5?title=Main_Page

         Security for Cloud Computing 10 Steps to Ensure Success - http://www.cloud-council.org/Security_for_Cloud_Computing-Final_080912.pdf

         Comparison between ISO-27005, Octave and NIST SP 800-30 - http://sisainfosec.com/blog/comparison-between-iso-27005-octave-nist-sp-800-30-2/

 

 

         Why the Emerging ISO-27000 Series are vital for Business Resilience -- http://www.personal.psu.edu/gms/sp13/456/about%20iso-27K%20Poole.pdf

         GIAC G2700 Certified ISO-27000 Specialist -- http://www.giac.org/certification/certified-iso-27000-specialist-g2700

         ISO-2700 Central -- http://www.17799central.com/

         History of ISO-27000 Standards -- http://www.27000.org/thepast.htm

         Many resources for IST-27000 Standards -- http://www.iso27001security.com/html/iso27000.html

         ISO/IEC 27001 2013 Plain English Introduction - http://www.praxiom.com/iso-27001-intro.htm

         ISO/IEC 27002 2013 Old versus New - http://www.praxiom.com/iso-27002-old-new.htm

         ISO/IEC 27002 2013 Translated into Plain English - http://www.praxiom.com/iso-27002.htm

         Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 - http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf

          

 

 

 

 

 

Vulnerabilities and Threats

 

         The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems -- http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf

         Computer Attacks: What They Are and How to Defend Against Them - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/05-99.pdf

         Guide to Malware Incident Prevention and Handling -- http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf

         National Vulnerability Database: Helping Information Technology System Users And Developers Find Current Information About Cyber Security Vulnerabilities - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/b-Oct-05.pdf

         Creating A Program To Manage Security Patches And Vulnerabilities: NIST Recommendations For Improving System Security - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/b-02-06.pdf

         Norton Cybercrime Report 2011 -- http://us.norton.com/content/en/us/home_homeoffice/html/cybercrimereport/

 

Protection Mechanisms

 

         Guidelines for Securing Wireless Local Area Networks (WLANs) -- http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf

         Guidelines on Security and Privacy in Public Cloud Computing -- http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

         Guide to Intrusion Detection and Prevention Systems (IDPS) -- http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

         Guidelines on Firewalls and Firewall Policy -- http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

         Biometrics - Technologies for Highly Secure Personal Authentication - ITL Security Bulletin -- http://csrc.nist.gov/publications/nistbul/05-01.pdf

         Guide to SSL VPNs -- http://csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf

         Advanced Encryption Standard -- http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

         Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations -- http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf

         Federal Agency Use of Public Key Technology for Digital Signatures and Authentication -- http://csrc.nist.gov/publications/nistpubs/800-25/sp800-25.pdf

         Guideline for Implementing Cryptography in the Federal Government -- http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf

         DoD Cyber Protecg Network Security Game -- http://iase.disa.mil/eta/cyber-protect/launchpage.htm

         TLS Transport Layer Security -- http://en.wikipedia.org/wiki/Transport_Layer_Security

         SSL Certificates -- https://www.globalsign.com/ssl-information-center/what-is-an-ssl-certificate.html?gclid=CI3YutnD46wCFcp65Qoduzywnw

         NIST.org Free Online Antivirus, Spyware and Firewall reviews -- http://www.nist.org/news.php?extend.93

 

Personnel and Security

 

         CompTIA+ Practice Exams -- http://www.techexams.net/securityplus/

         CompTIA Certification -- http://certification.comptia.org/home.aspx

         CISSP Certification -- https://www.isc2.org/cissp/default.aspx

         CISSP Practice Test -- http://www.cisspzone.com/cissp-practice-test/

 

 

Security Law and Ethics

 

         The Legal System and Ethics in Information Security (SANS) -- http://www.sans.org/reading_room/whitepapers/legal/legal-system-ethics-information-security_54

         Legal, Ethical and Professional Issues in Information Security -- http://academic.cengage.com/resource_uploads/downloads/1111138214_259148.pdf

         Information Security Law and Ethics -- http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&ved=0CEkQFjAE&url=http%3A%2F%2Fwww.sis.pitt.edu%2F~jjoshi%2FIS2820%2FSpring06%2Fchapter11.doc&ei=qvXhUKXtBNTC0AHAnICYCA&usg=AFQjCNGqm2UvMDJZHdC_B3zLWFnqGD_vgw&bvm=bv.1355534169,d.dmQ

         Computer Ethics -- http://www.isaca.org/Journal/Past-Issues/2008/Volume-6/Documents/jpdf0806-computer-ethics.pdf

         An Analysis of Ethics as a Foundation of Information Security in Distributed Systems -- http://www.computer.org/csdl/proceedings/hicss/1998/8248/06/82480213.pdf

         GIAC Code of Ethics -- http://www.giac.org/about/ethics/code

         ISSA Code of Ethics -- http://www.issa.org/?page=codeofethics

         ISC2 Code of Ethics -- https://www.isc2.org/ethics/default.aspx

         SANS IT Code of Ethics -- http://www.sans.org/security-resources/ethics.php