Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
About This eBook
Title Page
Copyright Page
Dedication Page
Contents
Foreword
Citations
Preface
Why Read This Book?
Uses for and Users of This Book
Organization of This Book
How to Read This Book
What Is New in This Book
Acknowledgments
About the Authors
1. Introduction
1.1 What Is Computer Security?
Values of Assets
The Vulnerability–Threat–Control Paradigm
1.2 Threats
Confidentiality
Integrity
Availability
Types of Threats
Types of Attackers
1.3 Harm
Risk and Common Sense
Method–Opportunity–Motive
1.4 Vulnerabilities
1.5 Controls
1.6 Conclusion
1.7 What’s Next?
1.8 Exercises
2. Toolbox: Authentication, Access Control, and Cryptography
2.1 Authentication
Identification Versus Authentication
Authentication Based on Phrases and Facts: Something You Know
Authentication Based on Biometrics: Something You Are
Authentication Based on Tokens: Something You Have
Federated Identity Management
Multifactor Authentication
Secure Authentication
2.2 Access Control
Access Policies
Implementing Access Control
Procedure-Oriented Access Control
Role-Based Access Control
2.3 Cryptography
Problems Addressed by Encryption
Terminology
DES: The Data Encryption Standard
AES: Advanced Encryption System
Public Key Cryptography
Public Key Cryptography to Exchange Secret Keys
Error Detecting Codes
Trust
Certificates: Trustable Identities and Public Keys
Digital Signatures—All the Pieces
2.4 Exercises
3. Programs and Programming
3.1 Unintentional (Nonmalicious) Programming Oversights
Buffer Overflow
Incomplete Mediation
Time-of-Check to Time-of-Use
Undocumented Access Point
Off-by-One Error
Integer Overflow
Unterminated Null-Terminated String
Parameter Length, Type, and Number
Unsafe Utility Program
Race Condition
3.2 Malicious Code—Malware
Malware—Viruses, Trojan Horses, and Worms
Technical Details: Malicious Code
3.3 Countermeasures
Countermeasures for Users
Countermeasures for Developers
Countermeasure Specifically for Security
Countermeasures that Don’t Work
Conclusion
Exercises
4. The Web—User Side
4.1 Browser Attacks
Browser Attack Types
How Browser Attacks Succeed: Failed Identification and Authentication
4.2 Web Attacks Targeting Users
False or Misleading Content
Malicious Web Content
Protecting Against Malicious Web Pages
4.3 Obtaining User or Website Data
Code Within Data
Website Data: A User’s Problem, Too
Foiling Data Attacks
4.4 Email Attacks
Fake Email
Fake Email Messages as Spam
Fake (Inaccurate) Email Header Data
Phishing
Protecting Against Email Attacks
4.5 Conclusion
4.6 Exercises
5. Operating Systems
5.1 Security in Operating Systems
Background: Operating System Structure
Security Features of Ordinary Operating Systems
A Bit of History
Protected Objects
Operating System Tools to Implement Security Functions
5.2 Security in the Design of Operating Systems
Simplicity of Design
Layered Design
Kernelized Design
Reference Monitor
Correctness and Completeness
Secure Design Principles
Trusted Systems
Trusted System Functions
The Results of Trusted Systems Research
5.3 Rootkit
Phone Rootkit
Rootkit Evades Detection
Rootkit Operates Unchecked
Sony XCP Rootkit
TDSS Rootkits
Other Rootkits
5.4 Conclusion
5.5 Exercises
6. Networks
6.1 Network Concepts
Background: Network Transmission Media
Background: Protocol Layers
Background: Addressing and Routing
Part I—War on Networks: Network Security Attacks
6.2 Threats to Network Communications
Interception: Eavesdropping and Wiretapping
Modification, Fabrication: Data Corruption
Interruption: Loss of Service
Port Scanning
Vulnerability Summary
6.3 Wireless Network Security
WiFi Background
Vulnerabilities in Wireless Networks
Failed Countermeasure: WEP (Wired Equivalent Privacy)
Stronger Protocol Suite: WPA (WiFi Protected Access)
6.4 Denial of Service
Example: Massive Estonian Web Failure
How Service Is Denied
Flooding Attacks in Detail
Network Flooding Caused by Malicious Code
Network Flooding by Resource Exhaustion
Denial of Service by Addressing Failures
Traffic Redirection
DNS Attacks
Exploiting Known Vulnerabilities
Physical Disconnection
6.5 Distributed Denial-of-Service
Scripted Denial-of-Service Attacks
Bots
Botnets
Malicious Autonomous Mobile Agents
Autonomous Mobile Protective Agents
Part II—Strategic Defenses: Security Countermeasures
6.6 Cryptography in Network Security
Network Encryption
Browser Encryption
Onion Routing
IP Security Protocol Suite (IPsec)
Virtual Private Networks
System Architecture
6.7 Firewalls
What Is a Firewall?
Design of Firewalls
Types of Firewalls
Personal Firewalls
Comparison of Firewall Types
Example Firewall Configurations
Network Address Translation (NAT)
Data Loss Prevention
6.8 Intrusion Detection and Prevention Systems
Types of IDSs
Other Intrusion Detection Technology
Intrusion Prevention Systems
Intrusion Response
Goals for Intrusion Detection Systems
IDS Strengths and Limitations
6.9 Network Management
Management to Ensure Service
Security Information and Event Management (SIEM)
6.10 Conclusion
6.11 Exercises
7. Databases
7.1 Introduction to Databases
Concept of a Database
Components of Databases
Advantages of Using Databases
7.2 Security Requirements of Databases
Integrity of the Database
Element Integrity
Auditability
Access Control
User Authentication
Availability
Integrity/Confidentiality/Availability
7.3 Reliability and Integrity
Protection Features from the Operating System
Two-Phase Update
Redundancy/Internal Consistency
Recovery
Concurrency/Consistency
7.4 Database Disclosure
Sensitive Data
Types of Disclosures
Preventing Disclosure: Data Suppression and Modification
Security Versus Precision
7.5 Data Mining and Big Data
Data Mining
Big Data
7.6 Conclusion
Exercises
8. Cloud Computing
8.1 Cloud Computing Concepts
Service Models
Deployment Models
8.2 Moving to the Cloud
Risk Analysis
Cloud Provider Assessment
Switching Cloud Providers
Cloud as a Security Control
8.3 Cloud Security Tools and Techniques
Data Protection in the Cloud
Cloud Application Security
Logging and Incident Response
8.4 Cloud Identity Management
Security Assertion Markup Language
OAuth
OAuth for Authentication
8.5 Securing IaaS
Public IaaS Versus Private Network Security
8.6 Conclusion
Where the Field Is Headed
To Learn More
8.7 Exercises
9. Privacy
9.1 Privacy Concepts
Aspects of Information Privacy
Computer-Related Privacy Problems
9.2 Privacy Principles and Policies
Fair Information Practices
U.S. Privacy Laws
Controls on U.S. Government Websites
Controls on Commercial Websites
Non-U.S. Privacy Principles
Individual Actions to Protect Privacy
Governments and Privacy
Identity Theft
9.3 Authentication and Privacy
What Authentication Means
Conclusions
9.4 Data Mining
Government Data Mining
Privacy-Preserving Data Mining
9.5 Privacy on the Web
Understanding the Online Environment
Payments on the Web
Site and Portal Registrations
Whose Page Is This?
Precautions for Web Surfing
Spyware
Shopping on the Internet
9.6 Email Security
Where Does Email Go, and Who Can Access It?
Interception of Email
Monitoring Email
Anonymous, Pseudonymous, and Disappearing Email
Spoofing and Spamming
Summary
9.7 Privacy Impacts of Emerging Technologies
Radio Frequency Identification
Electronic Voting
VoIP and Skype
Privacy in the Cloud
Conclusions on Emerging Technologies
9.8 Where the Field Is Headed
9.9 Conclusion
9.10 Exercises
10. Management and Incidents
10.1 Security Planning
Organizations and Security Plans
Contents of a Security Plan
Security Planning Team Members
Assuring Commitment to a Security Plan
10.2 Business Continuity Planning
Assess Business Impact
Develop Strategy
Develop the Plan
10.3 Handling Incidents
Incident Response Plans
Incident Response Teams
10.4 Risk Analysis
The Nature of Risk
Steps of a Risk Analysis
Arguments For and Against Risk Analysis
10.5 Dealing with Disaster
Natural Disasters
Power Loss
Human Vandals
Interception of Sensitive Information
Contingency Planning
Physical Security Recap
10.6 Conclusion
10.7 Exercises
11. Legal Issues and Ethics
11.1 Protecting Programs and Data
Copyrights
Patents
Trade Secrets
Special Cases
11.2 Information and the Law
Information as an Object
Legal Issues Relating to Information
The Legal System
Summary of Protection for Computer Artifacts
11.3 Rights of Employees and Employers
Ownership of Products
Employment Contracts
11.4 Redress for Software Failures
Selling Correct Software
Reporting Software Flaws
11.5 Computer Crime
Why a Separate Category for Computer Crime Is Needed
Why Computer Crime Is Hard to Define
Why Computer Crime Is Hard to Prosecute
Examples of Statutes
International Dimensions
Why Computer Criminals Are Hard to Catch
What Computer Crime Does Not Address
Summary of Legal Issues in Computer Security
11.6 Ethical Issues in Computer Security
Differences Between the Law and Ethics
Studying Ethics
Ethical Reasoning
11.7 Incident Analysis with Ethics
Situation I: Use of Computer Services
Situation II: Privacy Rights
Situation III: Denial of Service
Situation IV: Ownership of Programs
Situation V: Proprietary Resources
Situation VI: Fraud
Situation VII: Accuracy of Information
Situation VIII: Ethics of Hacking or Cracking
Situation IX: True Representation
Conclusion of Computer Ethics
Conclusion
Exercises
12. Details of Cryptography
12.1 Cryptology
Cryptanalysis
Cryptographic Primitives
One-Time Pads
Statistical Analysis
What Makes a “Secure” Encryption Algorithm?
12.2 Symmetric Encryption Algorithms
DES
AES
RC2, RC4, RC5, and RC6
12.3 Asymmetric Encryption with RSA
The RSA Algorithm
Strength of the RSA Algorithm
12.4 Message Digests
Hash Functions
One-Way Hash Functions
Message Digests
12.5 Digital Signatures
Elliptic Curve Cryptosystems
El Gamal and Digital Signature Algorithms
The NSA–Cryptography Controversy of 2012
12.6 Quantum Cryptography
Quantum Physics
Photon Reception
Cryptography with Photons
Implementation
12.7 Conclusion
13. Emerging Topics
13.1 The Internet of Things
Medical Devices
Mobile Phones
Security in the Internet of Things
13.2 Economics
Making a Business Case
Quantifying Security
Current Research and Future Directions
13.3 Electronic Voting
What Is Electronic Voting?
What Is a Fair Election?
What Are the Critical Issues?
13.4 Cyber Warfare
What Is Cyber Warfare?
Possible Examples of Cyber Warfare
Critical Issues
13.5 Conclusion
Bibliography
Index
Code Snippets
← Prev
Back
Next →
← Prev
Back
Next →