|
22.1 |
|
Introduction |
|
22.2 |
|
Risk Analysis
|
|
22.2.1 |
|
Business Loss
|
|
22.2.1.1 |
|
PR Image |
|
22.2.1.2 |
|
Loss of Customers/Business |
|
22.2.2 |
|
Interruptions
|
|
22.2.2.1 |
|
Production |
|
22.2.2.2 |
|
Supply Chain |
|
22.2.2.3 |
|
Delivery Chain |
|
22.2.2.4 |
|
Information Delivery |
|
22.2.3 |
|
Proactive Versus Reactive Threats |
|
22.3 |
|
Threat and Hazard Assessment
|
|
22.3.1 |
|
What Are Threats and Hazards? |
|
22.3.2 |
|
Hostile and Deliberate Acts, in Order of General Probability
|
|
22.3.2.1 |
|
Employee Misbehavior (Deliberate or Accidental) |
|
22.3.2.2 |
|
Crackers |
|
22.3.2.3 |
|
Angry Customers |
|
22.3.2.4 |
|
Political Activism |
|
22.3.2.5 |
|
Terrorism |
|
22.3.2.6 |
|
Criminals |
|
22.3.3 |
|
Competitors |
|
22.3.4 |
|
Damage by Nonhostile Acts |
|
22.3.5 |
|
Acts of God
|
|
22.3.5.1 |
|
Weather |
|
22.3.5.2 |
|
Earthquake |
|
22.3.5.3 |
|
Fire |
|
22.3.5.4 |
|
Bridge and Tunnel Failure |
|
22.3.5.5 |
|
Hardware Failure |
|
22.3.5.6 |
|
Vehicle Accidents |
|
22.3.6 |
|
Acts of Clod
|
|
22.3.6.1 |
|
Death by Backhoe or Pile Driver |
|
22.3.6.2 |
|
Operator Error |
|
22.3.6.3 |
|
Poorly Executed Updates or Maintenance of Hardware or Software |
|
22.3.6.4 |
|
Failures of Planning |
|
22.3.6.5 |
|
Accidental Worms |
|
22.4 |
|
Rules of Engagement |
|
22.5 |
|
Technical Issues
|
|
22.5.1 |
|
Applications Design |
|
22.5.2 |
|
Provisioning |
|
22.5.3 |
|
Restrictions |
|
22.5.4 |
|
Multiple Security Domains |
|
22.5.5 |
|
What Needs to Be Exposed? |
|
22.5.6 |
|
Exposed Systems |
|
22.5.7 |
|
Hidden Subnets |
|
22.5.8 |
|
Access Controls |
|
22.5.9 |
|
Site Maintenance |
|
22.5.10 |
|
Maintaining Site Integrity |
|
22.6 |
|
Accepting Losses |
|
22.7 |
|
Ethical Issues
|
|
22.7.1 |
|
Monitoring
|
|
22.7.1.1 |
|
Employee Monitoring |
|
22.7.1.2 |
|
Carnivore Issues |
|
22.7.1.3 |
|
Liabilities |
|
22.7.2 |
|
Customer Monitoring, Privacy, and Disclosure |
|
22.8 |
|
Litigation
|
|
22.8.1 |
|
Civil |
|
22.8.2 |
|
Regulatory |
|
22.8.3 |
|
Criminal |
|
22.8.4 |
|
Logs, Evidence, and Recording What Happened |
|
22.9 |
|
Technology
|
|
22.9.1 |
|
Protecting Customers |
|
22.9.2 |
|
Protecting Staff |
|
22.9.3 |
|
Protecting Partners |
|
22.9.4 |
|
Protecting a Site with Damage Control
|
|
22.9.4.1 |
|
File Security |
|
22.9.4.2 |
|
Going Offline |
|
22.9.4.3 |
|
Monitoring |
|
22.9.4.4 |
|
Planning |
|
22.9.4.5 |
|
Compartmentalization |
|
22.10 |
|
Physical Deployment
|
|
22.10.1 |
|
Site Hardening |
|
22.10.2 |
|
Site Dispersion |
|
22.10.3 |
|
Application Service Providers |
|
22.11 |
|
Reaction Plans
|
|
22.11.1 |
|
Computer Emergency Response Teams (CERTs) |
|
22.11.2 |
|
CERT Auxiliaries |
|
22.12 |
|
Summary |
|
22.13 |
|
References |
|
22.14 |
|
For Further Reading |