| |
22.1 |
|
Introduction |
| |
22.2 |
|
Risk Analysis
|
| |
22.2.1 |
|
Business Loss
|
| |
22.2.1.1 |
|
PR Image |
| |
22.2.1.2 |
|
Loss of Customers/Business |
| |
22.2.2 |
|
Interruptions
|
| |
22.2.2.1 |
|
Production |
| |
22.2.2.2 |
|
Supply Chain |
| |
22.2.2.3 |
|
Delivery Chain |
| |
22.2.2.4 |
|
Information Delivery |
| |
22.2.3 |
|
Proactive Versus Reactive Threats |
| |
22.3 |
|
Threat and Hazard Assessment
|
| |
22.3.1 |
|
What Are Threats and Hazards? |
| |
22.3.2 |
|
Hostile and Deliberate Acts, in Order of General Probability
|
| |
22.3.2.1 |
|
Employee Misbehavior (Deliberate or Accidental) |
| |
22.3.2.2 |
|
Crackers |
| |
22.3.2.3 |
|
Angry Customers |
| |
22.3.2.4 |
|
Political Activism |
| |
22.3.2.5 |
|
Terrorism |
| |
22.3.2.6 |
|
Criminals |
| |
22.3.3 |
|
Competitors |
| |
22.3.4 |
|
Damage by Nonhostile Acts |
| |
22.3.5 |
|
Acts of God
|
| |
22.3.5.1 |
|
Weather |
| |
22.3.5.2 |
|
Earthquake |
| |
22.3.5.3 |
|
Fire |
| |
22.3.5.4 |
|
Bridge and Tunnel Failure |
| |
22.3.5.5 |
|
Hardware Failure |
| |
22.3.5.6 |
|
Vehicle Accidents |
| |
22.3.6 |
|
Acts of Clod
|
| |
22.3.6.1 |
|
Death by Backhoe or Pile Driver |
| |
22.3.6.2 |
|
Operator Error |
| |
22.3.6.3 |
|
Poorly Executed Updates or Maintenance of Hardware or Software |
| |
22.3.6.4 |
|
Failures of Planning |
| |
22.3.6.5 |
|
Accidental Worms |
| |
22.4 |
|
Rules of Engagement |
| |
22.5 |
|
Technical Issues
|
| |
22.5.1 |
|
Applications Design |
| |
22.5.2 |
|
Provisioning |
| |
22.5.3 |
|
Restrictions |
| |
22.5.4 |
|
Multiple Security Domains |
| |
22.5.5 |
|
What Needs to Be Exposed? |
| |
22.5.6 |
|
Exposed Systems |
| |
22.5.7 |
|
Hidden Subnets |
| |
22.5.8 |
|
Access Controls |
| |
22.5.9 |
|
Site Maintenance |
| |
22.5.10 |
|
Maintaining Site Integrity |
| |
22.6 |
|
Accepting Losses |
| |
22.7 |
|
Ethical Issues
|
| |
22.7.1 |
|
Monitoring
|
| |
22.7.1.1 |
|
Employee Monitoring |
| |
22.7.1.2 |
|
Carnivore Issues |
| |
22.7.1.3 |
|
Liabilities |
| |
22.7.2 |
|
Customer Monitoring, Privacy, and Disclosure |
| |
22.8 |
|
Litigation
|
| |
22.8.1 |
|
Civil |
| |
22.8.2 |
|
Regulatory |
| |
22.8.3 |
|
Criminal |
| |
22.8.4 |
|
Logs, Evidence, and Recording What Happened |
| |
22.9 |
|
Technology
|
| |
22.9.1 |
|
Protecting Customers |
| |
22.9.2 |
|
Protecting Staff |
| |
22.9.3 |
|
Protecting Partners |
| |
22.9.4 |
|
Protecting a Site with Damage Control
|
| |
22.9.4.1 |
|
File Security |
| |
22.9.4.2 |
|
Going Offline |
| |
22.9.4.3 |
|
Monitoring |
| |
22.9.4.4 |
|
Planning |
| |
22.9.4.5 |
|
Compartmentalization |
| |
22.10 |
|
Physical Deployment
|
| |
22.10.1 |
|
Site Hardening |
| |
22.10.2 |
|
Site Dispersion |
| |
22.10.3 |
|
Application Service Providers |
| |
22.11 |
|
Reaction Plans
|
| |
22.11.1 |
|
Computer Emergency Response Teams (CERTs) |
| |
22.11.2 |
|
CERT Auxiliaries |
| |
22.12 |
|
Summary |
| |
22.13 |
|
References |
| |
22.14 |
|
For Further Reading |
