You are previewing Principles of Computer Security, Fourth Edition, 4th Edition.
O'Reilly logo
Principles of Computer Security, Fourth Edition, 4th Edition

Book Description

Written by leading information security educators, this fully revised, full-color computer security textbook covers CompTIA’s fastest-growing credential, CompTIA Security+.

Principles of Computer Security, Fourth Edition is a student-tested, introductory computer security textbook that provides comprehensive coverage of computer and network security fundamentals in an engaging and dynamic full-color design.

In addition to teaching key computer security concepts, the textbook also fully prepares you for CompTIA Security+ exam SY0-401 with 100% coverage of all exam objectives. Each chapter begins with a list of topics to be covered and features sidebar exam and tech tips, a chapter summary, and an end-of-chapter assessment section that includes key term, multiple choice, and essay quizzes as well as lab projects. Electronic content includes CompTIA Security+ practice exam questions and a PDF copy of the book.

  • CompTIA Approved Quality Content (CAQC)
  • Instructor resource materials include Online Learning Center with Instructor Manuals, PowerPoint slides featuring artwork from the book, and a test bank of questions for use as quizzes or exams
  • Electronic content includes CompTIA Security+ practice exam questions and a PDF copy of the book
  • Supplemented by Principles of Computer Security Lab Manual, Fourth Edition
  • White and Conklin are two of the most well-respected computer security educators in higher education

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. About the Authors
  5. Acknowledgments
  6. Contents at a Glance
  7. Contents
  8. Foreword
  9. Preface
  10. Introduction
  11. Instructor Web Site
  12. Chapter 1 Introduction and Security Trends
    1. The Computer Security Problem
      1. Definition of Computer Security
      2. Historical Security Incidents
      3. The Current Threat Environment
      4. Threats to Security
      5. Security Trends
    2. Targets and Attacks
      1. Specific Target
      2. Opportunistic Target
      3. Minimizing Possible Avenues of Attack
    3. Approaches to Computer Security
    4. Ethics
    5. Additional References
    6. Chapter 1 Review
  13. Chapter 2 General Security Concepts
    1. Basic Security Terminology
      1. Security Basics
      2. Security Tenets
      3. Security Approaches
      4. Security Principles
      5. Access Control
      6. Authentication Mechanisms
      7. Authentication and Access Control Policies
    2. Security Models
      1. Confidentiality Models
      2. Integrity Models
    3. Chapter 2 Review
  14. Chapter 3 Operational and Organizational Security
    1. Policies, Procedures, Standards, and Guidelines
      1. Security Policies
      2. Change Management Policy
      3. Data Policies
      4. Human Resources Policies
      5. Due Care and Due Diligence
      6. Due Process
      7. Incident Response Policies and Procedures
    2. Security Awareness and Training
      1. Security Policy Training and Procedures
      2. Role-Based Training
      3. Compliance with Laws, Best Practices, and Standards
      4. User Habits
      5. New Threats and Security Trends/Alerts
      6. Training Metrics and Compliance
    3. Interoperability Agreements
      1. Service Level Agreements
      2. Business Partnership Agreement
      3. Memorandum of Understanding
      4. Interconnection Security Agreement
    4. The Security Perimeter
    5. Physical Security
      1. Physical Access Controls
      2. Physical Barriers
    6. Environmental Issues
      1. Fire Suppression
    7. Wireless
    8. Electromagnetic Eavesdropping
      1. Modern Eavesdropping
    9. Chapter 3 Review
  15. Chapter 4 The Role of People in Security
    1. People—A Security Problem
      1. Social Engineering
      2. Poor Security Practices
    2. People as a Security Tool
      1. Security Awareness
      2. Security Policy Training and Procedures
    3. Chapter 4 Review
  16. Chapter 5 Cryptography
    1. Cryptography in Practice
      1. Fundamental Methods
      2. Comparative Strengths and Performance of Algorithms
    2. Historical Perspectives
      1. Substitution Ciphers
      2. One-Time Pads
    3. Algorithms
      1. Key Management
      2. Random Numbers
    4. Hashing Functions
      1. SHA
      2. RIPEMD
      3. Message Digest
      4. Hashing Summary
    5. Symmetric Encryption
      1. DES
      2. 3DES
      3. AES
      4. CAST
      5. RC
      6. Blowfish
      7. Twofish
      8. IDEA
      9. Block vs. Stream
      10. Symmetric Encryption Summary
    6. Asymmetric Encryption
      1. Diffie-Hellman
      2. RSA
      3. ElGamal
      4. ECC
      5. Asymmetric Encryption Summary
      6. Symmetric vs. Asymmetric
    7. Quantum Cryptography
    8. Steganography
    9. Cryptography Algorithm Use
      1. Confidentiality
      2. Integrity
      3. Authentication
      4. Nonrepudiation
      5. Cipher Suites
      6. Key Exchange
      7. Key Escrow
      8. Session Keys
      9. Ephemeral Keys
      10. Key Stretching
      11. Secrecy Principles
      12. Transport Encryption
      13. Digital Signatures
      14. Digital Rights Management
      15. Cryptographic Applications
      16. Use of Proven Technologies
    10. Chapter 5 Review
  17. Chapter 6 Public Key Infrastructure
    1. The Basics of Public Key Infrastructures
    2. Certificate Authorities
    3. Registration Authorities
      1. Local Registration Authorities
    4. Digital Certificates
      1. Certificate Extensions
      2. Certificate Attributes
    5. Certificate Lifecycles
      1. Registration and Generation
      2. CSR
      3. Renewal
      4. Suspension
      5. Revocation
      6. Key Destruction
    6. Certificate Repositories
    7. Trust and Certificate Verification
    8. Centralized and Decentralized Infrastructures
      1. Hardware Security Modules
      2. Private Key Protection
      3. Key Recovery
      4. Key Escrow
    9. Public Certificate Authorities
    10. In-House Certificate Authorities
      1. Choosing Between a Public CA and an In-House CA
      2. Outsourced Certificate Authorities
      3. Tying Different PKIs Together
      4. Trust Models
    11. Certificate-Based Threats
      1. Stolen Certificates
    12. Chapter 6 Review
  18. Chapter 7 PKI Standards and Protocols
    1. PKIX and PKCS
      1. PKIX Standards
      2. PKCS
      3. Why You Need to Know the PKIX and PKCS Standards
    2. X.509
    3. SSL/TLS
    4. Cipher Suites
    5. ISAKMP
    6. CMP
    7. XKMS
    8. S/MIME
      1. IETF S/MIME History
      2. IETF S/MIME v3 Specifications
    9. PGP
      1. How PGP Works
    10. HTTPS
    11. IPsec
    12. CEP
    13. Other Standards
      1. FIPS
      2. Common Criteria
      3. WTLS
      4. ISO/IEC 27002 (Formerly ISO 17799)
      5. SAML
    14. Chapter 7 Review
  19. Chapter 8 Physical Security
    1. The Security Problem
    2. Physical Security Safeguards
      1. Walls and Guards
      2. Physical Access Controls and Monitoring
      3. Convergence
      4. Policies and Procedures
      5. Environmental Controls
    3. Fire Suppression
      1. Water-Based Fire Suppression Systems
      2. Halon-Based Fire Suppression Systems
      3. Clean-Agent Fire Suppression Systems
      4. Handheld Fire Extinguishers
      5. Fire Detection Devices
    4. Power Protection
      1. UPS
      2. Backup Power and Cable Shielding
      3. Electromagnetic Interference
    5. Electronic Access Control Systems
      1. Access Tokens
    6. Chapter 8 Review
  20. Chapter 9 Network Fundamentals
    1. Network Architectures
    2. Network Topology
    3. Network Protocols
      1. Protocols
      2. Packets
    4. Internet Protocol
      1. IP Packets
      2. TCP vs. UDP
      3. ICMP
    5. IPv4 vs. IPv6
    6. Packet Delivery
      1. Ethernet
      2. Local Packet Delivery
      3. Remote Packet Delivery
      4. IP Addresses and Subnetting
      5. Network Address Translation
    7. Security Zones
      1. DMZ
      2. Internet
      3. Intranet
      4. Extranet
      5. Flat Networks
      6. Enclaves
      7. VLANs
      8. Zones and Conduits
    8. Tunneling
    9. Storage Area Networks
      1. iSCSI
      2. Fibre Channel
      3. FCoE
    10. Chapter 9 Review
  21. Chapter 10 Infrastructure Security
    1. Devices
      1. Workstations
      2. Servers
      3. Virtualization
      4. Mobile Devices
      5. Device Security, Common Concerns
      6. Network Attached Storage
      7. Removable Storage
    2. Networking
      1. Network Interface Cards
      2. Hubs
      3. Bridges
      4. Switches
      5. Routers
      6. Firewalls
      7. How Do Firewalls Work?
      8. Next-Generation Firewalls
      9. Web Application Firewalls vs. Network Firewalls
      10. Concentrators
      11. Wireless Devices
      12. Modems
      13. Telephony
      14. VPN Concentrator
    3. Security Devices
      1. Intrusion Detection Systems
      2. Network Access Control
      3. Network Monitoring/Diagnostic
      4. Load Balancers
      5. Proxies
      6. Web Security Gateways
      7. Internet Content Filters
      8. Data Loss Prevention
      9. Unified Threat Management
    4. Media
      1. Coaxial Cable
      2. UTP/STP
      3. Fiber
      4. Unguided Media
    5. Removable Media
      1. Magnetic Media
      2. Optical Media
      3. Electronic Media
    6. Security Concerns for Transmission Media
    7. Physical Security Concerns
    8. Cloud Computing
      1. Private
      2. Public
      3. Hybrid
      4. Community
      5. Software as a Service
      6. Platform as a Service
      7. Infrastructure as a Service
    9. Chapter 10 Review
  22. Chapter 11 Authentication and Remote Access
    1. User, Group, and Role Management
      1. User
      2. Group
      3. Role
    2. Password Policies
      1. Domain Password Policy
    3. Single Sign-On
      1. Time of Day Restrictions
      2. Tokens
      3. Account and Password Expiration
    4. Security Controls and Permissions
      1. Access Control Lists
      2. Mandatory Access Control (MAC)
      3. Discretionary Access Control (DAC)
      4. Role-Based Access Control (RBAC)
      5. Rule-Based Access Control
      6. Attribute Based Access Control (ABAC)
      7. Account Expiration
    5. Preventing Data Loss or Theft
    6. The Remote Access Process
      1. Identification
      2. Authentication
      3. Authorization
      4. Access Control
    7. Remote Access Methods
      1. IEEE 802.1X
      2. RADIUS
      3. TACACS+
      4. Authentication Protocols
      5. FTP/FTPS/SFTP
      6. VPNs
      7. IPsec
      8. Vulnerabilities of Remote Access Methods
    8. Connection Summary
    9. Chapter 11 Review
  23. Chapter 12 Wireless Security and Mobile Devices
    1. Introduction to Wireless Networking
    2. Mobile Phones
      1. Wireless Application Protocol
      2. 3G Mobile Networks
      3. 4G Mobile Networks
    3. Bluetooth
      1. Bluetooth Attacks
    4. Near Field Communication
    5. IEEE 802.11 Series
      1. 802.11: Individual Standards
      2. Attacking 802.11
      3. Current Security Methods
    6. Wireless Systems Configuration
      1. Antenna Types
      2. Antenna Placement
      3. Power Level Controls
      4. Site Surveys
      5. Captive Portals
      6. Securing Public Wi-Fi
    7. Mobile Devices
      1. Mobile Device Security
      2. BYOD Concerns
      3. Location Services
      4. Mobile Application Security
    8. Chapter 12 Review
  24. Chapter 13 Intrusion Detection Systems and Network Security
    1. History of Intrusion Detection Systems
    2. IDS Overview
      1. IDS Models
      2. Signatures
      3. False Positives and False Negatives
    3. Network-Based IDSs
      1. Advantages of a NIDS
      2. Disadvantages of a NIDS
      3. Active vs. Passive NIDSs
      4. NIDS Tools
    4. Host-Based IDSs
      1. Advantages of HIDSs
      2. Disadvantages of HIDSs
      3. Active vs. Passive HIDSs
      4. Resurgence and Advancement of HIDSs
    5. Intrusion Prevention Systems
    6. Honeypots and Honeynets
    7. Tools
      1. Protocol Analyzer
      2. Switched Port Analyzer
      3. Port Scanner
      4. Passive vs. Active Tools
      5. Banner Grabbing
    8. Chapter 13 Review
  25. Chapter 14 System Hardening and Baselines
    1. Overview of Baselines
    2. Operating System and Network Operating System Hardening
      1. OS Security
    3. Host Security
      1. Machine Hardening
      2. Operating System Security and Settings
      3. OS Hardening
      4. Hardening Microsoft Operating Systems
      5. Hardening UNIX- or Linux-Based Operating Systems
      6. Updates (a.k.a. Hotfixes, Service Packs, and Patches)
      7. Antimalware
      8. White Listing vs. Black Listing Applications
      9. Trusted OS
      10. Host-based Firewalls
      11. Hardware Security
      12. Host Software Baselining
    4. Host-Based Security Controls
      1. Hardware-Based Encryption Devices
      2. Data Encryption
      3. Data Security
      4. Handling Big Data
      5. Cloud Storage
      6. Storage Area Network
      7. Permissions/ACL
    5. Network Hardening
      1. Software Updates
      2. Device Configuration
      3. Securing Management Interfaces
      4. VLAN Management
      5. IPv4 vs. IPv6
    6. Application Hardening
      1. Application Configuration Baseline
      2. Application Patches
      3. Patch Management
      4. Host Software Baselining
    7. Group Policies
    8. Security Templates
    9. Alternative Environments
      1. SCADA
      2. Embedded Systems
      3. Phones and Mobile Devices
      4. Mainframe
      5. Game Consoles
      6. In-Vehicle Computing Systems
      7. Alternative Environment Methods
      8. Network Segmentation
      9. Security Layers
      10. Application Firewalls
      11. Manual Updates
      12. Firmware Version Control
      13. Wrappers
      14. Control Redundancy and Diversity
    10. Chapter 14 Review
  26. Chapter 15 Types of Attacks and Malicious Software
    1. Avenues of Attack
      1. Minimizing Possible Avenues of Attack
    2. Malicious Code
      1. Viruses
      2. Worms
      3. Polymorphic Malware
      4. Trojan Horses
      5. Rootkits
      6. Logic Bombs
      7. Spyware
      8. Adware
      9. Botnets
      10. Backdoors and Trapdoors
      11. Ransomware
      12. Malware Defenses
    3. Attacking Computer Systems and Networks
      1. Denial-of-Service Attacks
      2. Social Engineering
      3. Null Sessions
      4. Sniffing
      5. Spoofing
      6. TCP/IP Hijacking
      7. Man-in-the-Middle Attacks
      8. Replay Attacks
      9. Transitive Access
      10. Spam
      11. Spim
      12. Phishing
      13. Spear Phishing
      14. Vishing
      15. Pharming
      16. Scanning Attacks
      17. Attacks on Encryption
      18. Address System Attacks
      19. Cache Poisoning
      20. Password Guessing
      21. Pass-the-Hash Attacks
      22. Software Exploitation
      23. Client-Side Attacks
    4. Advanced Persistent Threat
      1. Remote Access Trojans
    5. Tools
      1. Metasploit
      2. BackTrack/Kali
      3. Social-Engineering Toolkit
      4. Cobalt Strike
      5. Core Impact
      6. Burp Suite
    6. Auditing
      1. Perform Routine Audits
    7. Chapter 15 Review
  27. Chapter 16 E-Mail and Instant Messaging
    1. How E-Mail Works
      1. E-Mail Structure
      2. MIME
    2. Security of E-Mail
      1. Malicious Code
      2. Hoax E-Mails
      3. Unsolicited Commercial E-Mail (Spam)
      4. Sender ID Framework
      5. DomainKeys Identified Mail
    3. Mail Encryption
      1. S/MIME
      2. PGP
    4. Instant Messaging
      1. Modern Instant Messaging Systems
    5. Chapter 16 Review
  28. Chapter 17 Web Components
    1. Current Web Components and Concerns
    2. Web Protocols
      1. Encryption (SSL and TLS)
      2. The Web (HTTP and HTTPS)
      3. HTTPS Everywhere
      4. HTTP Strict Transport Security
      5. Directory Services (DAP and LDAP)
      6. File Transfer (FTP and SFTP)
      7. Vulnerabilities
    3. Code-Based Vulnerabilities
      1. Buffer Overflows
      2. Java
      3. JavaScript
      4. ActiveX
      5. Securing the Browser
      6. CGI
      7. Server-Side Scripts
      8. Cookies
      9. Browser Plug-ins
      10. Malicious Add-ons
      11. Signed Applets
    4. Application-Based Weaknesses
      1. Session Hijacking
      2. Client-Side Attacks
      3. Web 2.0 and Security
    5. Chapter 17 Review
  29. Chapter 18 Secure Software Development
    1. The Software Engineering Process
      1. Process Models
      2. Secure Development Lifecycle
    2. Secure Coding Concepts
      1. Error and Exception Handling
      2. Input and Output Validation
      3. Fuzzing
      4. Bug Tracking
    3. Application Attacks
      1. Cross-Site Scripting
      2. Injections
      3. Directory Traversal/Command Injection
      4. Buffer Overflow
      5. Integer Overflow
      6. Cross-Site Request Forgery
      7. Zero-Day
      8. Attachments
      9. Locally Shared Objects
      10. Client-Side Attacks
      11. Arbitrary/Remote Code Execution
      12. Open Vulnerability and Assessment Language
    4. Application Hardening
      1. Application Configuration Baseline
      2. Application Patch Management
      3. NoSQL Databases vs. SQL Databases
      4. Server-Side vs. Client-Side Validation
    5. Chapter 18 Review
  30. Chapter 19 Business Continuity and Disaster Recovery, and Organizational Policies
    1. Business Continuity
      1. Business Continuity Plans
      2. Business Impact Analysis
      3. Identification of Critical Systems and Components
      4. Removing Single Points of Failure
      5. Risk Assessment
      6. Succession Planning
      7. Continuity of Operations
    2. Disaster Recovery
      1. Disaster Recovery Plans/Process
      2. Categories of Business Functions
      3. IT Contingency Planning
      4. Test, Exercise, and Rehearse
      5. Recovery Time Objective and Recovery Point Objective
      6. Backups
      7. Alternative Sites
      8. Utilities
      9. Secure Recovery
      10. Cloud Computing
      11. High Availability and Fault Tolerance
      12. Failure and Recovery Timing
    3. Chapter 19 Review
  31. Chapter 20 Risk Management
    1. An Overview of Risk Management
      1. Example of Risk Management at the International Banking Level
      2. Risk Management Vocabulary
    2. What Is Risk Management?
      1. Risk Management Culture
    3. Business Risks
      1. Examples of Business Risks
      2. Examples of Technology Risks
    4. Risk Mitigation Strategies
      1. Change Management
      2. Incident Management
      3. User Rights and Permissions Reviews
      4. Data Loss or Theft
    5. Risk Management Models
      1. General Risk Management Model
      2. Software Engineering Institute Model
      3. NIST Risk Models
      4. Model Application
    6. Qualitatively Assessing Risk
    7. Quantitatively Assessing Risk
      1. Adding Objectivity to a Qualitative Assessment
      2. Risk Calculation
    8. Qualitative vs. Quantitative Risk Assessment
    9. Tools
      1. Cost-Effectiveness Modeling
    10. Risk Management Best Practices
      1. System Vulnerabilities
      2. Threat Vectors
      3. Probability/Threat Likelihood
      4. Risk-Avoidance, Transference, Acceptance, Mitigation, Deterrence
      5. Risks Associated with Cloud Computing and Virtualization
    11. Chapter 20 Review
  32. Chapter 21 Change Management
    1. Why Change Management?
    2. The Key Concept: Separation of Duties
    3. Elements of Change Management
    4. Implementing Change Management
      1. Back-out Plan
    5. The Purpose of a Change Control Board
      1. Code Integrity
    6. The Capability Maturity Model Integration
    7. Chapter 21 Review
  33. Chapter 22 Incident Response
    1. Foundations of Incident Response
      1. Incident Management
      2. Anatomy of an Attack
      3. Goals of Incident Response
    2. Incident Response Process
      1. Preparation
      2. Security Measure Implementation
      3. Incident Identification/Detection
      4. Initial Response
      5. Incident Isolation
      6. Strategy Formulation
      7. Investigation
      8. Recovery/Reconstitution Procedures
      9. Reporting
      10. Follow-up/Lessons Learned
    3. Standards and Best Practices
      1. State of Compromise
      2. NIST
      3. Department of Justice
      4. Indicators of Compromise
      5. Cyber Kill Chain
      6. Making Security Measurable
    4. Chapter 22 Review
  34. Chapter 23 Computer Forensics
    1. Evidence
      1. Types of Evidence
      2. Standards for Evidence
      3. Three Rules Regarding Evidence
    2. Forensic Process
      1. Acquiring Evidence
      2. Identifying Evidence
      3. Protecting Evidence
      4. Transporting Evidence
      5. Storing Evidence
      6. Conducting the Investigation
    3. Analysis
    4. Chain of Custody
    5. Message Digest and Hash
    6. Host Forensics
      1. File Systems 
      2. Windows Metadata
      3. Linux Metadata
    7. Device Forensics
    8. Network Forensics
    9. E-Discovery
      1. Reference Model
      2. Big Data
      3. Cloud
    10. Chapter 23 Review
  35. Chapter 24 Legal Issues and Ethics
    1. Cybercrime
      1. Common Internet Crime Schemes
      2. Sources of Laws
      3. Computer Trespass
      4. Significant U.S. Laws
      5. Payment Card Industry Data Security Standard (PCI DSS)
      6. Import/Export Encryption Restrictions
      7. Non-U.S. Laws
      8. Digital Signature Laws
      9. Digital Rights Management
    2. Ethics
    3. Chapter 24 Review
  36. Chapter 25 Privacy
    1. Personally Identifiable Information (PII)
      1. Sensitive PII
      2. Notice, Choice, and Consent
    2. U.S. Privacy Laws
      1. Privacy Act of 1974
      2. Freedom of Information Act (FOIA)
      3. Family Education Records and Privacy Act (FERPA)
      4. U.S. Computer Fraud and Abuse Act (CFAA)
      5. U.S. Children’s Online Privacy Protection Act (COPPA)
      6. Video Privacy Protection Act (VPPA)
      7. Health Insurance Portability & Accountability Act (HIPAA)
      8. Gramm-Leach-Bliley Act (GLBA)
      9. California Senate Bill 1386 (SB 1386)
      10. U.S. Banking Rules and Regulations
      11. Payment Card Industry Data Security Standard (PCI DSS)
      12. Fair Credit Reporting Act (FCRA)
      13. Fair and Accurate Credit Transactions Act (FACTA)
    3. Non-Federal Privacy Concerns in the United States
    4. International Privacy Laws
      1. OECD Fair Information Practices
      2. European Laws
      3. Canadian Laws
      4. Asian Laws
    5. Privacy-Enhancing Technologies
    6. Privacy Policies
      1. Privacy Impact Assessment
    7. Web Privacy Issues
      1. Cookies
    8. Privacy in Practice
      1. User Actions
      2. Data Breaches
    9. Chapter 25 Review
  37. Appendix A CompTIA Security+ Exam Objectives: SY0-401
  38. Appendix B About the Download
    1. System Requirements
    2. Downloading Total Tester Premium Practice Exam Software
    3. Total Tester Premium Practice Exam Software
      1. Installing and Running Total Tester
    4. Technical Support
      1. Total Seminars Technical Support
      2. McGraw-Hill Education Content Support
  39. Glossary
  40. Index