book

Elementary Information Security, 3rd Edition

Name: Elementary Information Security, 3rd Edition
Author: Richard E. Smith
ISBN: 9781284153057

by Richard E. Smith

October 2019

Beginner

708 pages

26h

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover
Title Page
Copyright Page
Contents
Preface
Acknowledgments
Chapter 1 Security From the Ground Up
1.1 The Security Landscape
1.1.1 Making Security Decisions1.1.2 Framework for Risk Management
1.2 Assessing Risks
1.2.1 The Proprietor’s Risk Management Framework1.2.2 Goals and Assets1.2.3 Security Boundaries1.2.4 Security Architecture
1.3 Identifying Risks
1.3.1 Threat Agents1.3.2 Potential Attacks1.3.3 Risk Matrix

1.4 Prioritizing Risks
1.5 Drafting Security Requirements
1.5.1 Analyzing Alice’s Risks1.5.2 Monitoring Security Measures
1.6 Ethical Issues in Security Analysis
1.6.1 Searching for Vulnerabilities1.6.2 Sharing and Publishing Cyber Vulnerabilities
1.7 Resources
1.7.1 Review Questions1.7.2 Exercises
Chapter 2 Controlling a Computer
2.1 Computers and Programs
2.1.1 Input/Output2.1.2 Program Execution2.1.3 Procedures
2.2 Programs and Processes
2.2.1 Switching Between Processes2.2.2 The Operating System
2.3 Buffer Overflows and the Morris Worm
2.3.1 The “Finger” Overflow2.3.2 Security Alerts2.3.3 Studying Cyberattacks
2.4 Access Control Strategies
2.4.1 Puzzles and Patterns2.4.2 Chain of Control: Another Basic Principle
2.5 Keeping Processes Separate
2.5.1 Sharing a Program2.5.2 Sharing Data
2.6 Selecting Security Controls
2.7 Security Plan: Process Protection
2.8 Resources
2.8.1 Review Questions2.8.2 Exercises
Chapter 3 Controlling Files
3.1 The File System
3.1.1 File Ownership and Access Rights3.1.2 Directory Access Rights
3.2 Executable Files and Malware
3.2.1 Execution Access Rights3.2.2 Computer Viruses3.2.3 Macro Viruses3.2.4 Modern Malware: A Rogue’s Gallery
3.3 Sharing and Protecting Files
3.3.1 Security Policies for Sharing and Protection
3.4 Security Controls for Files
3.4.1 Deny by Default: A Basic Principle3.4.2 Managing Access Rights
3.5 File Security Controls
3.5.1 File Permission Flags3.5.2 Security Controls to Enforce the Isolation Policy3.5.3 States and State Diagrams
3.6 Patching Security Flaws
3.7 Resources
3.7.1 Review Questions3.7.2 Exercises
Chapter 4 Sharing Files
4.1 Controlled Sharing
4.1.1 Basic File Sharing on Windows4.1.2 User Groups4.1.3 Least Privilege and Administrative Users
4.2 File Permission Flags
4.2.1 Permission Flags and Ambiguities4.2.2 Permission Flag Examples
4.3 Access Control Lists and MacOS
4.4 Microsoft Windows ACLs
4.4.1 Denying Access4.4.2 Default File Protection4.4.3 A Different Trojan Horse
4.5 Monitoring Cyber System Security
4.5.1 Logging Events4.5.2 External Security Requirements
4.6 Resources
4.6.1 Review Questions4.6.2 Exercises
Chapter 5 Storing Files
5.1 Incident Response and Attack
5.1.1 The Aftermath of an Incident5.1.2 Legal Disputes
5.2 Digital Evidence
5.2.1 Collecting Legal Evidence5.2.2 Digital Evidence Procedures
5.3 Storing Data on a Hard Drive
5.3.1 Hard Drive Controller5.3.2 Hard Drive Formatting
5.4 Common Drive Concepts
5.4.1 Error Detection and Correction5.4.2 Drive Partitions5.4.3 Memory Sizes and Address Variables
5.5 FAT: An Example File System
5.5.1 Boot Blocks5.5.2 Building Files from Clusters5.5.3 FAT Directories
5.6 Modern File Systems
5.6.1 Unix File System5.6.2 Apple’s HFS Plus5.6.3 Microsoft’s NTFS5.6.4 File Systems in Portable and Networked Systems
5.7 Input/Output and File System Software
5.7.1 Software Layering5.7.2 A Typical I/O Operation5.7.3 Security and I/O
5.8 Resources
5.8.1 Review Questions5.8.2 Exercises
Chapter 6 Authenticating People
6.1 Unlocking a Door
6.1.1 Authentication Factors6.1.2 Threat Agents and Risks6.1.3 Database Thefts
6.2 Evolution of Password Systems
6.2.1 One-Way Hash Functions6.2.2 Sniffing Credentials
6.3 Password Guessing
6.3.1 Password Search Space6.3.2 Truly Random Password Selection6.3.3 Cracking Speeds
6.4 Attacks on Password Bias
6.4.1 Biased Choices and Average Attack Space6.4.2 Estimating Language-Based Password Bias
6.5 Authentication Tokens
6.5.1 Challenge-Response Authentication6.5.2 One-Time Password Tokens6.5.3 Mobile Devices and Smartphones as Tokens6.5.4 Token Vulnerabilities
6.6 Biometric Authentication
6.6.1 Biometric Accuracy6.6.2 Biometric Vulnerabilities
6.7 Authentication Policy
6.7.1 Weak and Strong Threats6.7.2 Policies for Weak Threat Environments2706.7.3 Policies for Strong and Extreme Threats2726.7.4 Password Selection and Handling
6.8 Resources
6.8.1 Review Questions6.8.2 Exercises
Chapter 7 Encrypting Files
7.1 Protecting the Accessible
7.1.1 The Encrypted Diary7.1.2 Encryption Basics7.1.3 Encryption and Information States
7.2 Encryption and Cryptanalysis
7.2.1 The Vigenère Cipher7.2.2 Electromechanical Encryption
7.3 Computer-Based Encryption
7.3.1 Exclusive Or: A Crypto Building Block7.3.2 Stream Ciphers: Another Building Block7.3.3 Key Stream Security7.3.4 The One-Time Pad
7.4 File Encryption Software
7.4.1 Built-In File Encryption7.4.2 Encryption Application Programs7.4.3 Erasing a Plaintext File7.4.4 Choosing a File Encryption Program
7.5 Digital Rights Management
7.6 Resources
7.6.1 Review Questions7.6.2 Exercises
Chapter 8 Secret and Public Keys
8.1 The Key Management Challenge
8.1.1 Rekeying8.1.2 Using Text for Encryption Keys8.1.3 Key Strength
8.2 The Reused Key Stream Problem
8.2.1 Avoiding Reused Keys8.2.2 Key Wrapping: Another Building Block3338.2.3 Separation of Duty: A Basic Principle8.2.4 DVD Key Handling
8.3 Public-Key Cryptography
8.3.1 Sharing a Secret: Diffie–Hellman8.3.2 Diffie–Hellman: The Basics of the Math8.3.3 Elliptic Curve Cryptography8.3.4 Quantum Cryptography and Post-Quantum Cryptography
8.4 RSA: Rivest–Shamir–Adleman
8.4.1 Encapsulating Keys with RSA8.4.2 An Overview of RSA Mathematics
8.5 Data Integrity and Digital Signatures
8.5.1 Detecting Malicious Changes8.5.2 Detecting a Changed Hash Value8.5.3 Digital Signatures
8.6 Publishing Public Keys
8.6.1 Public-Key Certificates8.6.2 Chains of Certificates8.6.3 Authenticated Software Updates
8.7 Resources
8.7.1 Review Questions8.7.2 Exercises
Chapter 9 Encrypting Volumes
9.1 Securing a Volume
9.1.1 Risks to Volumes9.1.2 Risks and Policy Trade-Offs
9.2 Block Ciphers
9.2.1 Evolution of DES and AES9.2.2 The RC4 Story9.2.3 Qualities of Good Encryption Algorithms
9.3 Block Cipher Modes
9.3.1 Stream Cipher Modes9.3.2 Cipher Feedback Mode9.3.3 Cipher Block Chaining9.3.4 Block Mode Standards
9.4 Encrypting a Volume
9.4.1 Volume Encryption in Software9.4.2 Block Modes for Volume Encryption9.4.3 A “Tweakable” Encryption Mode9.4.4 Residual Risks
9.5 Encryption in Hardware
9.5.1 The Drive Controller9.5.2 Drive Locking and Unlocking
9.6 Managing Encryption Keys
9.6.1 Key Storage9.6.2 Booting an Encrypted Drive9.6.3 Residual Risks to Keys
9.7 Resources
9.7.1 Review Questions9.7.2 Exercises
Chapter 10 Connecting Computers
10.1 The Network Security Problem
10.1.1 Basic Network Attacks and Defenses10.1.2 Physical Network Protection10.1.3 Host and Network Integrity
10.2 Transmitting Data
10.2.1 Message Switching10.2.2 Circuit Switching10.2.3 Packet Switching
10.3 Transmitting Packets
10.4 Ethernet: A Modern LAN
10.4.1 Wiring a Small Network10.4.2 Ethernet Frame Format10.4.3 Finding Host Addresses10.4.4 Handling Collisions
10.5 The Protocol Stack
10.5.1 Relationships Between Layers10.5.2 The OSI Protocol Model10.5.3 Wireless Alternatives for Mobile Equipment
10.6 Network Applications
10.6.1 Resource Sharing10.6.2 Data and File Sharing
10.7 Resources
10.7.1 Review Questions10.7.2 Exercises
Chapter 11 Networks of Networks
11.1 Building Data Networks
11.2 Combining Computer Networks
11.2.1 Hopping Between Networks11.2.2 Evolution of Internet Security11.2.3 Internet Structure
11.3 Talking Between Hosts
11.3.1 IP Addresses11.3.2 IP Packet Format11.3.3 Address Resolution Protocol
11.4 Internet Addresses in Practice
11.4.1 Addresses, Scope, and Reachability11.4.2 Private IP Addresses
11.5 Network Inspection Tools
11.5.1 Wireshark Examples11.5.2 Mapping a LAN with Nmap
11.6 Resources
11.6.1 Review Questions11.6.2 Exercises
Chapter 12 End-to-End Networking
12.1 “Smart” Versus “Dumb” Networks
12.2 Internet Transport Protocols
12.2.1 Transmission Control Protocol12.2.2 Attacks on Protocols
12.3 Names on the Internet
12.3.1 Domain Names in Practice12.3.2 Looking Up Names12.3.3 DNS Protocol12.3.4 Investigating Domain Names12.3.5 Attacking DNS
12.4 Internet Firewalls
12.4.1 Network Address Translation12.4.2 Filtering and Connectivity12.4.3 Software-Based Firewalls
12.5 Network Authentication
12.5.1 Direct Authentication12.5.2 Indirect Authentication12.5.3 Offline Authentication
12.6 Resources
12.6.1 Review Questions12.6.2 Exercises
Chapter 13 Network Encryption
13.1 Communications Security
13.1.1 Crypto by Layers13.1.2 Administrative and Policy Issues
13.2 Crypto Keys on a Network
13.2.1 Manual Keying: A Building Block13.2.2 Simple Rekeying13.2.3 Secret-Key Building Blocks13.2.4 Public-Key Building Blocks13.2.5 Public-Key Versus Secret-Key Exchanges
13.3 Crypto Atop the Protocol Stack
13.3.1 Transport Layer Security—SSL and TLS13.3.2 SSL Handshake Protocol13.3.3 SSL Record Transmission
13.4 Network Layer Cryptography
13.4.1 The Encapsulating Security Payload13.4.2 Implementing a VPN13.4.3 Internet Key Exchange Protocol
13.5 Link Encryption on 802.11 Wireless
13.5.1 Wireless Packet Protection13.5.2 Security Associations
13.6 Cryptographic Security Requirements
13.7 Resources
13.7.1 Review Questions13.7.2 Exercises
Chapter 14 Internet Services and Email
14.1 Internet Services
14.2 Internet Email
14.2.1 Email Protocol Standards14.2.2 Tracking an Email14.2.3 Forging an Email Message
14.3 Email Security Problems
14.3.1 Spam14.3.2 Phishing14.3.3 Email Viruses and Hoaxes
14.4 Enterprise Firewalls
14.4.1 Controlling Internet Traffic14.4.2 Traffic-Filtering Mechanisms14.4.3 Implementing Firewall Rules
14.5 Enterprise Point of Presence
14.5.1 POP Topology14.5.2 Attacking an Enterprise Site14.5.3 The Challenge of Real-Time Media
14.6 Resources
14.6.1 Review Questions14.6.2 Exercises
Chapter 15 The World Wide Web
15.1 Hypertext Fundamentals
15.1.1 Addressing Web Pages15.1.2 Retrieving a Static Web Page
15.2 Basic Web Security
15.2.1 Static Website Security15.2.2 Server Authentication15.2.3 Server Masquerades
15.3 Dynamic Websites
15.3.1 Scripts on the Web15.3.2 States and HTTP
15.4 Content Management Systems
15.4.1 Database Management Systems15.4.2 Password Checking: A CMS Example15.4.3 Command Injection Attacks15.4.4 “Top Ten” Web Application Security Risks
15.5 Ensuring Web Security Properties
15.5.1 Web Availability15.5.2 Web Privacy
15.6 Resources
15.6.1 Review Questions15.6.2 Exercises
Appendix
Index

Overview

If we want a solid understanding of security technology, we must look closely at the underlying strengths a of information technology itself. An ideal text for introductory information security courses, the Third Edition of Elementary Information Security provides a comprehensive yet easy-to-understand introduction to the complex world of cybersecurity and technology. Thoroughly updated with recently reported cybersecurity incidents, this essential text enables students to gain direct experience by analyzing security problems and practicing simulated security activities. Emphasizing learning through experience, Elementary Information Security, Third Edition addresses technologies and cryptographic topics progressing from individual computers to more complex Internet-based systems. Designed to fulfill curriculum requirement published the U.S. government and the Association for Computing Machinery (ACM), Elementary Information Security, Third Edition also covers the core learning outcomes for information security education published in the ACM’s “IT 2008” curricular recommendations. Students who are interested in becoming a Certified Information Systems Security Professional (CISSP) may also use this text as a study aid for the examination.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781284153057

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills