You are previewing Security in Computing, Fifth Edition.
O'Reilly logo
Security in Computing, Fifth Edition

Book Description

The New State of the Art in Information Security: Now Covers Cloud Computing, the Internet of Things, and Cyberwarfare

Students and IT and security professionals have long relied on Security in Computing as the definitive guide to computer security attacks and countermeasures. Now, the authors have thoroughly updated this classic to reflect today’s newest technologies, attacks, standards, and trends.

Security in Computing, Fifth Edition, offers complete, timely coverage of all aspects of computer security, including users, software, devices, operating systems, networks, and data. Reflecting rapidly evolving attacks, countermeasures, and computing environments, this new edition introduces best practices for authenticating users, preventing malicious code execution, using encryption, protecting privacy, implementing firewalls, detecting intrusions, and more. More than two hundred end-of-chapter exercises help the student to solidify lessons learned in each chapter.

Combining breadth, depth, and exceptional clarity, this comprehensive guide builds carefully from simple to complex topics, so you always understand all you need to know before you move forward.

You’ll start by mastering the field’s basic terms, principles, and concepts. Next, you’ll apply these basics in diverse situations and environments, learning to ”think like an attacker” and identify exploitable weaknesses. Then you will switch to defense, selecting the best available solutions and countermeasures. Finally, you’ll go beyond technology to understand crucial management issues in protecting infrastructure and data.

New coverage includes

  • A full chapter on securing cloud environments and managing their unique risks

  • Extensive new coverage of security issues associated with user—web interaction

  • New risks and techniques for safeguarding the Internet of Things

  • A new primer on threats to privacy and how to guard it

  • An assessment of computers and cyberwarfare–recent attacks and emerging risks

  • Security flaws and risks associated with electronic voting systems

  • Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. Dedication Page
    5. Contents
    6. Foreword
      1. Citations
    7. Preface
      1. Why Read This Book?
      2. Uses for and Users of This Book
      3. Organization of This Book
      4. How to Read This Book
      5. What Is New in This Book
    8. Acknowledgments
    9. About the Authors
    10. 1. Introduction
      1. 1.1 What Is Computer Security?
        1. Values of Assets
        2. The Vulnerability–Threat–Control Paradigm
      2. 1.2 Threats
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Types of Threats
        5. Types of Attackers
      3. 1.3 Harm
        1. Risk and Common Sense
        2. Method–Opportunity–Motive
      4. 1.4 Vulnerabilities
      5. 1.5 Controls
      6. 1.6 Conclusion
      7. 1.7 What’s Next?
      8. 1.8 Exercises
    11. 2. Toolbox: Authentication, Access Control, and Cryptography
      1. 2.1 Authentication
        1. Identification Versus Authentication
        2. Authentication Based on Phrases and Facts: Something You Know
        3. Authentication Based on Biometrics: Something You Are
        4. Authentication Based on Tokens: Something You Have
        5. Federated Identity Management
        6. Multifactor Authentication
        7. Secure Authentication
      2. 2.2 Access Control
        1. Access Policies
        2. Implementing Access Control
        3. Procedure-Oriented Access Control
        4. Role-Based Access Control
      3. 2.3 Cryptography
        1. Problems Addressed by Encryption
        2. Terminology
        3. DES: The Data Encryption Standard
        4. AES: Advanced Encryption System
        5. Public Key Cryptography
        6. Public Key Cryptography to Exchange Secret Keys
        7. Error Detecting Codes
        8. Trust
        9. Certificates: Trustable Identities and Public Keys
        10. Digital Signatures—All the Pieces
      4. 2.4 Exercises
    12. 3. Programs and Programming
      1. 3.1 Unintentional (Nonmalicious) Programming Oversights
        1. Buffer Overflow
        2. Incomplete Mediation
        3. Time-of-Check to Time-of-Use
        4. Undocumented Access Point
        5. Off-by-One Error
        6. Integer Overflow
        7. Unterminated Null-Terminated String
        8. Parameter Length, Type, and Number
        9. Unsafe Utility Program
        10. Race Condition
      2. 3.2 Malicious Code—Malware
        1. Malware—Viruses, Trojan Horses, and Worms
        2. Technical Details: Malicious Code
      3. 3.3 Countermeasures
        1. Countermeasures for Users
        2. Countermeasures for Developers
        3. Countermeasure Specifically for Security
        4. Countermeasures that Don’t Work
      4. Conclusion
      5. Exercises
    13. 4. The Web—User Side
      1. 4.1 Browser Attacks
        1. Browser Attack Types
        2. How Browser Attacks Succeed: Failed Identification and Authentication
      2. 4.2 Web Attacks Targeting Users
        1. False or Misleading Content
        2. Malicious Web Content
        3. Protecting Against Malicious Web Pages
      3. 4.3 Obtaining User or Website Data
        1. Code Within Data
        2. Website Data: A User’s Problem, Too
        3. Foiling Data Attacks
      4. 4.4 Email Attacks
        1. Fake Email
        2. Fake Email Messages as Spam
        3. Fake (Inaccurate) Email Header Data
        4. Phishing
        5. Protecting Against Email Attacks
      5. 4.5 Conclusion
      6. 4.6 Exercises
    14. 5. Operating Systems
      1. 5.1 Security in Operating Systems
        1. Background: Operating System Structure
        2. Security Features of Ordinary Operating Systems
        3. A Bit of History
        4. Protected Objects
        5. Operating System Tools to Implement Security Functions
      2. 5.2 Security in the Design of Operating Systems
        1. Simplicity of Design
        2. Layered Design
        3. Kernelized Design
        4. Reference Monitor
        5. Correctness and Completeness
        6. Secure Design Principles
        7. Trusted Systems
        8. Trusted System Functions
        9. The Results of Trusted Systems Research
      3. 5.3 Rootkit
        1. Phone Rootkit
        2. Rootkit Evades Detection
        3. Rootkit Operates Unchecked
        4. Sony XCP Rootkit
        5. TDSS Rootkits
        6. Other Rootkits
      4. 5.4 Conclusion
      5. 5.5 Exercises
    15. 6. Networks
      1. 6.1 Network Concepts
        1. Background: Network Transmission Media
        2. Background: Protocol Layers
        3. Background: Addressing and Routing
      2. Part I—War on Networks: Network Security Attacks
      3. 6.2 Threats to Network Communications
        1. Interception: Eavesdropping and Wiretapping
        2. Modification, Fabrication: Data Corruption
        3. Interruption: Loss of Service
        4. Port Scanning
        5. Vulnerability Summary
      4. 6.3 Wireless Network Security
        1. WiFi Background
        2. Vulnerabilities in Wireless Networks
        3. Failed Countermeasure: WEP (Wired Equivalent Privacy)
        4. Stronger Protocol Suite: WPA (WiFi Protected Access)
      5. 6.4 Denial of Service
        1. Example: Massive Estonian Web Failure
        2. How Service Is Denied
        3. Flooding Attacks in Detail
        4. Network Flooding Caused by Malicious Code
        5. Network Flooding by Resource Exhaustion
        6. Denial of Service by Addressing Failures
        7. Traffic Redirection
        8. DNS Attacks
        9. Exploiting Known Vulnerabilities
        10. Physical Disconnection
      6. 6.5 Distributed Denial-of-Service
        1. Scripted Denial-of-Service Attacks
        2. Bots
        3. Botnets
        4. Malicious Autonomous Mobile Agents
        5. Autonomous Mobile Protective Agents
      7. Part II—Strategic Defenses: Security Countermeasures
      8. 6.6 Cryptography in Network Security
        1. Network Encryption
        2. Browser Encryption
        3. Onion Routing
        4. IP Security Protocol Suite (IPsec)
        5. Virtual Private Networks
        6. System Architecture
      9. 6.7 Firewalls
        1. What Is a Firewall?
        2. Design of Firewalls
        3. Types of Firewalls
        4. Personal Firewalls
        5. Comparison of Firewall Types
        6. Example Firewall Configurations
        7. Network Address Translation (NAT)
        8. Data Loss Prevention
      10. 6.8 Intrusion Detection and Prevention Systems
        1. Types of IDSs
        2. Other Intrusion Detection Technology
        3. Intrusion Prevention Systems
        4. Intrusion Response
        5. Goals for Intrusion Detection Systems
        6. IDS Strengths and Limitations
      11. 6.9 Network Management
        1. Management to Ensure Service
        2. Security Information and Event Management (SIEM)
      12. 6.10 Conclusion
      13. 6.11 Exercises
    16. 7. Databases
      1. 7.1 Introduction to Databases
        1. Concept of a Database
        2. Components of Databases
        3. Advantages of Using Databases
      2. 7.2 Security Requirements of Databases
        1. Integrity of the Database
        2. Element Integrity
        3. Auditability
        4. Access Control
        5. User Authentication
        6. Availability
        7. Integrity/Confidentiality/Availability
      3. 7.3 Reliability and Integrity
        1. Protection Features from the Operating System
        2. Two-Phase Update
        3. Redundancy/Internal Consistency
        4. Recovery
        5. Concurrency/Consistency
      4. 7.4 Database Disclosure
        1. Sensitive Data
        2. Types of Disclosures
        3. Preventing Disclosure: Data Suppression and Modification
        4. Security Versus Precision
      5. 7.5 Data Mining and Big Data
        1. Data Mining
        2. Big Data
      6. 7.6 Conclusion
      7. Exercises
    17. 8. Cloud Computing
      1. 8.1 Cloud Computing Concepts
        1. Service Models
        2. Deployment Models
      2. 8.2 Moving to the Cloud
        1. Risk Analysis
        2. Cloud Provider Assessment
        3. Switching Cloud Providers
        4. Cloud as a Security Control
      3. 8.3 Cloud Security Tools and Techniques
        1. Data Protection in the Cloud
        2. Cloud Application Security
        3. Logging and Incident Response
      4. 8.4 Cloud Identity Management
        1. Security Assertion Markup Language
        2. OAuth
        3. OAuth for Authentication
      5. 8.5 Securing IaaS
        1. Public IaaS Versus Private Network Security
      6. 8.6 Conclusion
        1. Where the Field Is Headed
        2. To Learn More
      7. 8.7 Exercises
    18. 9. Privacy
      1. 9.1 Privacy Concepts
        1. Aspects of Information Privacy
        2. Computer-Related Privacy Problems
      2. 9.2 Privacy Principles and Policies
        1. Fair Information Practices
        2. U.S. Privacy Laws
        3. Controls on U.S. Government Websites
        4. Controls on Commercial Websites
        5. Non-U.S. Privacy Principles
        6. Individual Actions to Protect Privacy
        7. Governments and Privacy
        8. Identity Theft
      3. 9.3 Authentication and Privacy
        1. What Authentication Means
        2. Conclusions
      4. 9.4 Data Mining
        1. Government Data Mining
        2. Privacy-Preserving Data Mining
      5. 9.5 Privacy on the Web
        1. Understanding the Online Environment
        2. Payments on the Web
        3. Site and Portal Registrations
        4. Whose Page Is This?
        5. Precautions for Web Surfing
        6. Spyware
        7. Shopping on the Internet
      6. 9.6 Email Security
        1. Where Does Email Go, and Who Can Access It?
        2. Interception of Email
        3. Monitoring Email
        4. Anonymous, Pseudonymous, and Disappearing Email
        5. Spoofing and Spamming
        6. Summary
      7. 9.7 Privacy Impacts of Emerging Technologies
        1. Radio Frequency Identification
        2. Electronic Voting
        3. VoIP and Skype
        4. Privacy in the Cloud
        5. Conclusions on Emerging Technologies
      8. 9.8 Where the Field Is Headed
      9. 9.9 Conclusion
      10. 9.10 Exercises
    19. 10. Management and Incidents
      1. 10.1 Security Planning
        1. Organizations and Security Plans
        2. Contents of a Security Plan
        3. Security Planning Team Members
        4. Assuring Commitment to a Security Plan
      2. 10.2 Business Continuity Planning
        1. Assess Business Impact
        2. Develop Strategy
        3. Develop the Plan
      3. 10.3 Handling Incidents
        1. Incident Response Plans
        2. Incident Response Teams
      4. 10.4 Risk Analysis
        1. The Nature of Risk
        2. Steps of a Risk Analysis
        3. Arguments For and Against Risk Analysis
      5. 10.5 Dealing with Disaster
        1. Natural Disasters
        2. Power Loss
        3. Human Vandals
        4. Interception of Sensitive Information
        5. Contingency Planning
        6. Physical Security Recap
      6. 10.6 Conclusion
      7. 10.7 Exercises
    20. 11. Legal Issues and Ethics
      1. 11.1 Protecting Programs and Data
        1. Copyrights
        2. Patents
        3. Trade Secrets
        4. Special Cases
      2. 11.2 Information and the Law
        1. Information as an Object
        2. Legal Issues Relating to Information
        3. The Legal System
        4. Summary of Protection for Computer Artifacts
      3. 11.3 Rights of Employees and Employers
        1. Ownership of Products
        2. Employment Contracts
      4. 11.4 Redress for Software Failures
        1. Selling Correct Software
        2. Reporting Software Flaws
      5. 11.5 Computer Crime
        1. Why a Separate Category for Computer Crime Is Needed
        2. Why Computer Crime Is Hard to Define
        3. Why Computer Crime Is Hard to Prosecute
        4. Examples of Statutes
        5. International Dimensions
        6. Why Computer Criminals Are Hard to Catch
        7. What Computer Crime Does Not Address
        8. Summary of Legal Issues in Computer Security
      6. 11.6 Ethical Issues in Computer Security
        1. Differences Between the Law and Ethics
        2. Studying Ethics
        3. Ethical Reasoning
      7. 11.7 Incident Analysis with Ethics
        1. Situation I: Use of Computer Services
        2. Situation II: Privacy Rights
        3. Situation III: Denial of Service
        4. Situation IV: Ownership of Programs
        5. Situation V: Proprietary Resources
        6. Situation VI: Fraud
        7. Situation VII: Accuracy of Information
        8. Situation VIII: Ethics of Hacking or Cracking
        9. Situation IX: True Representation
        10. Conclusion of Computer Ethics
      8. Conclusion
      9. Exercises
    21. 12. Details of Cryptography
      1. 12.1 Cryptology
        1. Cryptanalysis
        2. Cryptographic Primitives
        3. One-Time Pads
        4. Statistical Analysis
        5. What Makes a “Secure” Encryption Algorithm?
      2. 12.2 Symmetric Encryption Algorithms
        1. DES
        2. AES
        3. RC2, RC4, RC5, and RC6
      3. 12.3 Asymmetric Encryption with RSA
        1. The RSA Algorithm
        2. Strength of the RSA Algorithm
      4. 12.4 Message Digests
        1. Hash Functions
        2. One-Way Hash Functions
        3. Message Digests
      5. 12.5 Digital Signatures
        1. Elliptic Curve Cryptosystems
        2. El Gamal and Digital Signature Algorithms
        3. The NSA–Cryptography Controversy of 2012
      6. 12.6 Quantum Cryptography
        1. Quantum Physics
        2. Photon Reception
        3. Cryptography with Photons
        4. Implementation
      7. 12.7 Conclusion
    22. 13. Emerging Topics
      1. 13.1 The Internet of Things
        1. Medical Devices
        2. Mobile Phones
        3. Security in the Internet of Things
      2. 13.2 Economics
        1. Making a Business Case
        2. Quantifying Security
        3. Current Research and Future Directions
      3. 13.3 Electronic Voting
        1. What Is Electronic Voting?
        2. What Is a Fair Election?
        3. What Are the Critical Issues?
      4. 13.4 Cyber Warfare
        1. What Is Cyber Warfare?
        2. Possible Examples of Cyber Warfare
        3. Critical Issues
      5. 13.5 Conclusion
    23. Bibliography
    24. Index
    25. Code Snippets