You are previewing Thinking Security: Stopping Next Year’s Hackers.
O'Reilly logo
Thinking Security: Stopping Next Year’s Hackers

Book Description

If you’re a security or network professional, you already know the “do’s and don’ts”: run AV software and firewalls, lock down your systems, use encryption, watch network traffic, follow best practices, hire expensive consultants . . . but it isn’t working. You’re at greater risk than ever, and even the world’s most security-focused organizations are being victimized by massive attacks.

In Thinking Security, author Steven M. Bellovin provides a new way to think about security. As one of the world’s most respected security experts, Bellovin helps you gain new clarity about what you’re doing and why you’re doing it. He helps you understand security as a systems problem, including the role of the all-important human element, and shows you how to match your countermeasures to actual threats. You’ll learn how to move beyond last year’s checklists at a time when technology is changing so rapidly.

You’ll also understand how to design security architectures that don’t just prevent attacks wherever possible, but also deal with the consequences of failures. And, within the context of your coherent architecture, you’ll learn how to decide when to invest in a new security product and when not to.

Bellovin, co-author of the best-selling Firewalls and Internet Security, caught his first hackers in 1971. Drawing on his deep experience, he shares actionable, up-to-date guidance on issues ranging from SSO and federated authentication to BYOD, virtualization, and cloud security.

Perfect security is impossible. Nevertheless, it’s possible to build and operate security systems far more effectively. Thinking Security will help you do just that.

Table of Contents

  1. About This eBook
  2. Title Page
  3. Copyright Page
  4. Dedication Page
  5. Contents
  6. Preface
    1. Protecting the Right Things
    2. Doing the Right Thing
    3. Security: Not Too Big, Not Too Small, Just Right
    4. A Guide to the Perplexed
    5. A Note on Link Rot
    6. Acknowledgments
  7. Part I: Defining the Problem
    1. Chapter 1. Introduction
      1. 1.1 Changes
      2. 1.2 Adapting to Change
      3. 1.3 Security Analysis
      4. 1.4 A Few Words on Terminology
    2. Chapter 2. Thinking About Security
      1. 2.1 The Security Mindset
      2. 2.2 Know Your Goals
      3. 2.3 Security as a Systems Problem
      4. 2.4 Thinking Like the Enemy
    3. Chapter 3. Threat Models
      1. 3.1 Who’s Your Enemy?
      2. 3.2 Classes of Attackers
      3. 3.3 Advanced Persistent Threats
      4. 3.4 What’s at Risk?
      5. 3.5 The Legacy Problem
  8. Part II: Technologies
    1. Chapter 4. Antivirus Software
      1. 4.1 Characteristics
      2. 4.2 The Care and Feeding of Antivirus Software
      3. 4.3 Is Antivirus Always Needed?
      4. 4.4 Analysis
    2. Chapter 5. Firewalls and Intrusion Detection Systems
      1. 5.1 What Firewalls Don’t Do
      2. 5.2 A Theory of Firewalls
      3. 5.3 Intrusion Detection Systems
      4. 5.4 Intrusion Prevention Systems
      5. 5.5 Extrusion Detection
      6. 5.6 Analysis
    3. Chapter 6. Cryptography and VPNs
      1. 6.1 Cryptography, the Wonder Drug
      2. 6.2 Key Distribution
      3. 6.3 Transport Encryption
      4. 6.4 Object Encryption
      5. 6.5 VPNs
      6. 6.6 Protocol, Algorithm, and Key Size Recommendations
      7. 6.7 Analysis
    4. Chapter 7. Passwords and Authentication
      1. 7.1 Authentication Principles
      2. 7.2 Passwords
      3. 7.3 Storing Passwords: Users
      4. 7.4 Password Compromise
      5. 7.5 Forgotten Passwords
      6. 7.6 Biometrics
      7. 7.7 One-Time Passwords
      8. 7.8 Cryptographic Authentication
      9. 7.9 Tokens and Mobile Phones
      10. 7.10 Single-Sign-On and Federated Authentication
      11. 7.11 Storing Passwords: Servers
      12. 7.12 Analysis
    5. Chapter 8. PKI: Public Key Infrastructures
      1. 8.1 What’s a Certificate?
      2. 8.2 PKI: Whom Do You Trust?
      3. 8.3 PKI versus PKI
      4. 8.4 Certificate Expiration and Revocation
      5. 8.5 Analysis
    6. Chapter 9. Wireless Access
      1. 9.1 Wireless Insecurity Myths
      2. 9.2 Living Connected
      3. 9.3 Living Disconnected
      4. 9.4 Smart Phones, Tablets, Toys, and Mobile Phone Access
      5. 9.5 Analysis
    7. Chapter 10. Clouds and Virtualization
      1. 10.1 Distribution and Isolation
      2. 10.2 Virtual Machines
      3. 10.3 Sandboxes
      4. 10.4 The Cloud
      5. 10.5 Security Architecture of Cloud Providers
      6. 10.6 Cloud Computing
      7. 10.7 Cloud Storage
      8. 10.8 Analysis
  9. Part III: Secure Operations
    1. Chapter 11. Building Secure Systems
      1. 11.1 Correct Coding
      2. 11.2 Design Issues
      3. 11.3 External Links
      4. 11.4 Trust Patterns
      5. 11.5 Legacy Systems
      6. 11.6 Structural Defenses
      7. 11.7 Security Evaluations
    2. Chapter 12. Selecting Software
      1. 12.1 The Quality Problem
      2. 12.2 Selecting Software Wisely
    3. Chapter 13. Keeping Software Up to Date
      1. 13.1 Holes and Patches
      2. 13.2 The Problem with Patches
      3. 13.3 How to Patch
    4. Chapter 14. People
      1. 14.1 Employees, Training, and Education
      2. 14.2 Users
      3. 14.3 Social Engineering
      4. 14.4 Usability
      5. 14.5 The Human Element
    5. Chapter 15. System Administration
      1. 15.1 Sysadmins: Your Most Important Security Resource
      2. 15.2 Steering the Right Path
      3. 15.3 System Administration Tools and Infrastructure
      4. 15.4 Outsourcing System Administration
      5. 15.5 The Dark Side Is Powerful
    6. Chapter 16. Security Process
      1. 16.1 Planning
      2. 16.2 Security Policies
      3. 16.3 Logging and Reporting
      4. 16.4 Incident Response
  10. Part IV: The Future
    1. Chapter 17. Case Studies
      1. 17.1 A Small Medical Practice
      2. 17.2 An E-Commerce Site
      3. 17.3 A Cryptographic Weakness
      4. 17.4 The Internet of Things
    2. Chapter 18. Doing Security Properly
      1. 18.1 Obsolescence
      2. 18.2 New Devices
      3. 18.3 New Threats
      4. 18.4 New Defenses
      5. 18.5 Thinking about Privacy
      6. 18.6 Putting It All Together
  11. References
  12. Index
  13. Credits
  14. Colophon
  15. Code Snippets