Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures (Paperback)

Part I: Background on Cyber Crime, Insider Threats, and ESM
Chapter One: Cyber Crime and Cyber Criminals
? About this Chapter
? Computer Dependence and Internet Growth
? The Shrinking Vulnerability Threat Window
? Motivations for Cyber Criminal Activity
o Black Markets
? Hacker
? Script Kiddies
? Solitary Cyber Criminals and Exploit Writers for Hire
? Organized Crime
? Identity Thieves (Impersonation Fraudsters)
? Competitors
? Activist Groups, Nation-State Threats, and Terrorists
? Activists
? Nation-State Threats
o China
o France
o Russia
o United Kingdom
o United States
? Terrorists
? Insiders
? Tools of the Trade
o Application-Layer Exploits
o Botnets
o Buffer Overflows
o Code Packing
o Denial-of-service (DoS) Attacks
o More Aggressive and Sophisticated Malware
o Non-wired Attacks and Mobile Devices
o Password-cracking
o Phishing
o Reconnaissance and Googledorks
o Rootkits and Keyloggers
o Social Engineering Attacks
o Voice over IP (VoIP) Attacks
o Zero-Day Exploits
? Summary Points
Chapter Two: Insider Threats
? Understanding Who the Insider Is
? Psychology of Insider Identification
? Insider Threat Examples from the Media
? Insider Threats from a Human Perspective
o A Word on Policies
? Insider Threats from a Business Perspective
o Risk
? Insider Threats from a Technical Perspective
o Need-to-know
o Least Privileges
o Separation of Duties
o Strong Authentication
o Access Controls
o Incident Detection and Incident Management
? Summary Points

Chapter Three: Enterprise Security Management (ESM)
? ESM in a Nutshell
? Key ESM Feature Requirements
o Event Collection
o Normalization
o Categorization
o Asset Information
o Vulnerability Information
o Zoning and Global Positioning System Data
o Active Lists
o Actors
o Data Content
o Correlation
o Prioritization
o Event and Response Time Reduction
o Anomaly Detection
o Pattern Discovery
o Alerting
o Case Management
o Real-Time Analysis and Forensic Investigation
o Visualization
o High-level Dashboards
o Detailed Visualization
o Reporting
o Remediation
? Return On Investment (ROI) and Return On Security Investment (ROSI)
? Alternatives to ESM
o Do Nothing
o Custom In-house Solutions
o Outsourcing and Co-sourcing
? Co-sourcing examples:
? Summary Points

Part II: Real Life Case Studies
Chapter Four: Imbalanced Security?A Singaporean Data Center
Chapter Five: Correlating Physical and Logical Security Events?A U.S. Government Organization
Chapter Six: Insider with a Conscience?An Austrian Retailer
Chapter Seven: Collaborative Threat?A Telecommunications Company in the U.S.
Chapter Eight: Outbreak from Within?A Financial Organization in the U.K.
Chapter Nine: Mixing Revenge and Passwords?A Utility Company in Brazil
Chapter Ten: Rapid Remediation?A University in the United States
Chapter Eleven: Suspicious Activity?A Consulting Company in Spain
Chapter Twelve: Insiders Abridged
? Malicious use of Medical Records
? Hosting Pirated Software
? Pod-Slurping
? Auctioning State Property
? Writing Code for another Company
? Outsourced Insiders
? Smuggling Gold in Rattus Norvegicus

Part III: The Extensibility of ESM
Chapter Thirteen: Establishing Chain-of-Custody Best Practices with ESM
? Disclaimer
? Monitoring and disclosure
? Provider Protection Exception
? Consent Exception
? Computer Trespasser Exception
? Court Order Exception
? Best Practices
? Canadian Best Evidence Rule
? Summary Points

Chapter Fourteen: Addressing Both Insider Threats and Sarbanes-Oxley with ESM
? A Primer on Sarbanes-Oxley
? Section 302: Corporate Responsibility for Financial Reports
? Section 404: Management Assessment of Internal Controls
? Separation of Duties
? Monitoring Interaction with Financial Processes
? Detecting Changes in Controls over Financial Systems
? Section 409: Real-time Issuer Disclosures
? Summary Points

Chapter Fifteen: Incident Management with ESM
? Incident Management Basics
? Improved Risk Management
? Improved Compliance
? Reduced Costs
? Current Challenges
o Process
o Organization
o Technology
? Building an Incident Management Program
o Defining Risk
? Five Steps to Risk Definition for Incident Management
o Process
o Training
o Stakeholder Involvement
o Remediation
o Documentation
? Reporting and Metrics
? Summary Points

Chapter Sixteen: Insider Threat Questions and Answers
? Introduction
? Insider Threat Recap
? Question One - Employees
o The Hiring Process
o Reviews
o Awareness
o NIST 800-50
o Policies
o Standards
o Security Memorandum Example
? Question Two - Prevention
? Question Three ? Asset Inventories
? Question Four ? Log Collection
o Security Application Logs
o Operating System Log
o Web Server Logs
o NIST 800-92
? Question Five ? Log Analysis
? Question Six - Specialized Insider Content
? Question Seven ? Physical and Logical Security Convergence
? Question Eight ? IT Governance
o NIST 800-53
o Network Account Deletion maps to NIST 800-53 section AC-2
o Vulnerability Scanning maps to NIST 800-53 section RA-5
o Asset Creation maps to NIST 800-53 section CM-4
o Attacks and Suspicious Activity from Public Facing Assets maps to NIST 800-53 section SC-14
o Traffic from Internal to External Assets maps to NIST 800-53 section SC-7
? Question Nine - Incident Response
? Question 10 ? Must Haves

Appendix A?Examples of Cyber Crime Prosecutions