Computer Security Handbook, Fifth Edition

Table of contents

1. Volume I: Computer Security Handbook
   1. Title Page
   2. Copyright
   3. Contents
   4. PREFACE
   5. ACKNOWLEDGMENTS
   6. ABOUT THE EDITORS
   7. ABOUT THE CONTRIBUTORS
   8. A NOTE TO INSTRUCTORS
   9. INTRODUCTION TO PART I: FOUNDATIONS OF COMPUTER SECURITY
      1. CHAPTER 1: BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY
         1. 1.1 INTRODUCTION TO INFORMATION SYSTEM SECURITY.
         2. 1.2 EVOLUTION OF INFORMATION SYSTEMS.
         3. 1.3 GOVERNMENT RECOGNITION OF INFORMATION ASSURANCE.
         4. 1.4 RECENT DEVELOPMENTS.
         5. 1.5 ONGOING MISSION FOR INFORMATION SYSTEM SECURITY.
         6. 1.6 NOTES
      2. CHAPTER 2: HISTORY OF COMPUTER CRIME
         1. 2.1 WHY STUDY HISTORICAL RECORDS?
         2. 2.2 OVERVIEW.
         3. 2.3 1960S AND 1970S: SABOTAGE.
         4. 2.4 IMPERSONATION.
         5. 2.5 PHONE PHREAKING.
         6. 2.6 DATA DIDDLING.
         7. 2.7 SALAMI FRAUD.
         8. 2.8 LOGIC BOMBS.
         9. 2.9 EXTORTION.
         10. 2.10 TROJAN HORSES.
         11. 2.11 NOTORIOUS WORMS AND VIRUSES.
         12. 2.12 SPAM.
         13. 2.13 DENIAL OF SERVICE.
         14. 2.14 HACKER UNDERGROUND OF THE 1980S AND 1990S.
         15. 2.15 CONCLUDING REMARKS.
         16. 2.16 FURTHER READING
         17. 2.17 NOTES
      3. CHAPTER 3: TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY*
         1. 3.1 PROPOSAL FOR A NEW INFORMATION SECURITY FRAMEWORK.
         2. 3.2 SIX ESSENTIAL SECURITY ELEMENTS.
         3. 3.3 WHAT THE DICTIONARIES SAY ABOUT THE WORDS WE USE.
         4. 3.4 COMPREHENSIVE LISTS OF SOURCES AND ACTS CAUSING INFORMATION LOSSES.
         5. 3.5 FUNCTIONS OF INFORMATION SECURITY.
         6. 3.6 SELECTING SAFEGUARDS USING A STANDARD OF DUE DILIGENCE.
         7. 3.7 THREATS, ASSETS, VULNERABILITIES MODEL.
         8. 3.8 CONCLUSION.
      4. CHAPTER 4: HARDWARE ELEMENTS OF SECURITY
         1. 4.1 INTRODUCTION.
         2. 4.2 BINARY DESIGN.
         3. 4.3 PARITY.
         4. 4.4 HARDWARE OPERATIONS.
         5. 4.5 INTERRUPTS.
         6. 4.6 MEMORY AND DATA STORAGE.
         7. 4.7 TIME.
         8. 4.8 NATURAL DANGERS.
         9. 4.9 DATA COMMUNICATIONS.
         10. 4.10 CRYPTOGRAPHY.
         11. 4.11 BACKUP.
         12. 4.12 RECOVERY PROCEDURES.
         13. 4.13 MICROCOMPUTER CONSIDERATIONS.
         14. 4.14 CONCLUSION.
         15. 4.15 HARDWARE SECURITY CHECKLIST
         16. 4.16 FURTHER READING
      5. CHAPTER 5: DATA COMMUNICATIONS AND INFORMATION SECURITY
         1. 5.1 INTRODUCTION.
         2. 5.2 SAMPLING OF NETWORKS.
         3. 5.3 NETWORK PROTOCOLS AND VULNERABILITIES.
         4. 5.4 STANDARDS.
         5. 5.5 INTERNET PROTOCOL (IP).
         6. 5.6 TRANSMISSION CONTROL PROTOCOL (TCP).
         7. 5.7 USER DATAGRAM PROTOCOL.
         8. 5.8 TCP/IP SUPERVISORY STANDARDS.
         9. 5.9 APPLICATION STANDARDS.
         10. 5.10 CONCLUDING REMARKS.
         11. 5.11 FURTHER READING
         12. 5.12 NOTES
      6. CHAPTER 6: NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN
         1. 6.1 OVERVIEW.
         2. 6.2 LAN TOPOLOGY.
         3. 6.3 MEDIA.
         4. 6.4 MEDIA ACCESS CONTROL.
         5. 6.5 LAN PROTOCOLS AND STANDARDS.
         6. 6.6 INTERCONNECTION DEVICES.
         7. 6.7 NETWORK OPERATING SYSTEMS.
         8. 6.8 SUMMARY.
         9. 6.9 WEB SITES
         10. 6.10 FURTHER READING
         11. 6.11 NOTES
      7. CHAPTER 7: ENCRYPTION
         1. 7.1 INTRODUCTION TO CRYPTOGRAPHY.
         2. 7.2 BASIC CRYPTOGRAPHY.
         3. 7.3 DES AND MODERN ENCRYPTION.
         4. 7.4 PUBLIC KEY ENCRYPTION.
         5. 7.5 PRACTICAL ENCRYPTION.
         6. 7.6 BEYOND RSA AND DES.
         7. 7.7 FURTHER READING.
         8. 7.8 NOTES
      8. CHAPTER 8: USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT INFORMATION
         1. 8.1 INTRODUCTION.
         2. 8.2 WHY A COMMON LANGUAGE IS NEEDED.
         3. 8.3 DEVELOPMENT OF THE COMMON LANGUAGE.
         4. 8.4 COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY.
         5. 8.5 ADDITIONAL INCIDENT INFORMATION TERMS.
         6. 8.6 HOW TO USE THE COMMON LANGUAGE.
         7. 8.7 NOTES
      9. CHAPTER 9: MATHEMATICAL MODELS OF COMPUTER SECURITY
         1. 9.1 WHY MODELS ARE IMPORTANT.
         2. 9.2 MODELS AND SECURITY.
         3. 9.3 MODELS AND CONTROLS.
         4. 9.4 CLASSIC MODELS.
         5. 9.5 OTHER MODELS.
         6. 9.6 CONCLUSION.
         7. 9.7 FURTHER READING
         8. 9.8 NOTES
      10. CHAPTER 10: UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME
          1. 10.1 INTRODUCTION.
          2. 10.2 BASIC RESEARCH METHODOLOGY.
          3. 10.3 SUMMARY.
          4. 10.4 FURTHER READING
          5. 10.5 NOTES
      11. CHAPTER 11: FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW
          1. 11.1 INTRODUCTION.
          2. 11.2 THE MOST FUNDAMENTAL BUSINESS TOOL FOR PROTECTION OF TECHNOLOGY IS THE CONTRACT.
          3. 11.3 PROPRIETARY RIGHTS AND TRADE SECRETS.
          4. 11.4 COPYRIGHT LAW AND SOFTWARE.
          5. 11.5 DIGITAL MILLENNIUM COPYRIGHT ACT.
          6. 11.6 CIRCUMVENTING TECHNOLOGY MEASURES.
          7. 11.7 PATENT PROTECTION.
          8. 11.8 PIRACY AND OTHER INTRUSIONS.
          9. 11.9 OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS.
          10. 11.10 OPEN SOURCE.
          11. 11.11 APPLICATION INTERNATIONALLY.
          12. 11.12 CONCLUDING REMARKS.
          13. 11.13 FURTHER READING
          14. 11.14 NOTES
   10. INTRODUCTION TO PART II: THREATS AND VULNERABILITIES
       1. CHAPTER 12: THE PSYCHOLOGY OF COMPUTER CRIMINALS
          1. 12.1 INTRODUCTION.
          2. 12.2 SELF-REPORTED MOTIVATIONS.
          3. 12.3 PSYCHOLOGICAL PERSPECTIVES ON COMPUTER CRIME.
          4. 12.4 SOCIAL DISTANCE, ANONYMITY, AGGRESSION, AND COMPUTER CRIME.
          5. 12.5 INDIVIDUAL DIFFERENCES AND COMPUTER CRIMINALS.
          6. 12.6 ETHICS AND COMPUTER CRIME.
          7. 12.7 CLASSIFICATIONS OF COMPUTER CRIMINALS.
          8. 12.8 SUMMARY AND CONCLUSIONS.
          9. 12.9 NOTES
       2. CHAPTER 13: THE DANGEROUS INFORMATION TECHNOLOGY INSIDER: PSYCHOLOGICAL CHARACTERISTICS AND CAREER PATTERNS1
          1. 13.1 COMPUTER INFORMATION TECHNOLOGY INSIDERS.
          2. 13.2 PSYCHOLOGICAL CHARACTERISTICS OF INFORMATION TECHNOLOGY SPECIALISTS.
          3. 13.3 CHARACTERISTICS OF THE DANGEROUS COMPUTER INFORMATION TECHNOLOGY INSIDER (CITI).
          4. 13.4 ESCALATING PATHWAY TO MAJOR COMPUTER CRIME.
          5. 13.5 STRESS AND ATTACKS ON COMPUTER SYSTEMS.
          6. 13.6 TYPOLOGY OF COMPUTER CRIME PERPETRATORS.
          7. 13.7 CONCLUSION AND IMPLICATIONS.
          8. 13.8 NOTE
       3. CHAPTER 14: INFORMATION WARFARE
          1. 14.1 INTRODUCTION.
          2. 14.2 VULNERABILITIES.
          3. 14.3 GOALS AND OBJECTIVES.
          4. 14.4 SOURCES OF THREATS AND ATTACKS.
          5. 14.5 WEAPONS OF CYBERWAR.
          6. 14.6 DEFENSES.
          7. 14.7 FURTHER READING
          8. 14.8 NOTES
       4. CHAPTER 15: PENETRATING COMPUTER SYSTEMS AND NETWORKS
          1. 15.1 MULTIPLE FACTORS INVOLVED IN SYSTEM PENETRATION.
          2. 15.2 NONTECHNICAL PENETRATION TECHNIQUES.
          3. 15.3 TECHNICAL PENETRATION TECHNIQUES.
          4. 15.4 POLITICAL AND LEGAL ISSUES.
          5. 15.5 SUMMARY
          6. 15.6 FURTHER READING
          7. 15.7 NOTES
       5. CHAPTER 16: MALICIOUS CODE
          1. 16.1 INTRODUCTION.
          2. 16.2 MALICIOUS CODE THREAT MODEL.
          3. 16.3 SURVEY OF MALICIOUS CODE
          4. 16.4 DETECTION OF MALICIOUS CODE.
          5. 16.5 PREVENTION OF MALICIOUS CODE ATTACKS
          6. 16.6 CONCLUSION.
          7. 16.7 FURTHER READING
          8. 16.8 NOTES
       6. CHAPTER 17: MOBILE CODE
          1. 17.1 INTRODUCTION.
          2. 17.2 SIGNED CODE.
          3. 17.3 RESTRICTED OPERATING ENVIRONMENTS.
          4. 17.4 DISCUSSION.
          5. 17.5 SUMMARY.
          6. 17.6 FURTHER READING
          7. 17.7 NOTES
       7. CHAPTER 18: DENIAL-OF-SERVICE ATTACKS
          1. 18.1 INTRODUCTION.
          2. 18.2 DENIAL-OF-SERVICE ATTACKS.
          3. 18.3 DISTRIBUTED DENIAL-OF-SERVICE ATTACKS.
          4. 18.4 MANAGEMENT ISSUES.
          5. 18.5 FURTHER READING
          6. 18.6 NOTE
       8. CHAPTER 19: SOCIAL ENGINEERING AND LOW-TECH ATTACKS
          1. 19.1 INTRODUCTION.
          2. 19.2 BACKGROUND AND HISTORY.
          3. 19.3 SOCIAL ENGINEERING METHODS.
          4. 19.4 PSYCHOLOGY AND SOCIAL PSYCHOLOGY OF SOCIAL ENGINEERING.
          5. 19.5 DANGERS OF SOCIAL ENGINEERING AND ITS IMPACT ON BUSINESSES.
          6. 19.6 DETECTION.
          7. 19.7 RESPONSE.
          8. 19.8 DEFENSE AND MITIGATION.
          9. 19.9 CONCLUSION.
          10. 19.10 FURTHER READING
          11. 19.11 NOTES
       9. CHAPTER 20: SPAM, PHISHING, AND TROJANS: ATTACKS MEANT TO FOOL
          1. 20.1 UNWANTED E-MAIL AND OTHER PESTS: A SECURITY ISSUE.
          2. 20.2 E-MAIL: AN ANATOMY LESSON.
          3. 20.3 SPAM DEFINED.
          4. 20.4 FIGHTING SPAM.
          5. 20.5 PHISHING.
          6. 20.6 TROJAN CODE.
          7. 20.7 CONCLUDING REMARKS.
          8. 20.8 FURTHER READING
          9. 20.9 NOTES
       10. CHAPTER 21: WEB-BASED VULNERABILITIES
           1. 21.1 INTRODUCTION.
           2. 21.2 BREAKING E-COMMERCE SYSTEMS.
           3. 21.3 CASE STUDY OF BREAKING AN E-BUSINESS.
           4. 21.4 WEB APPLICATION SYSTEM SECURITY.
           5. 21.5 PROTECTING WEB APPLICATIONS.
           6. 21.6 COMPONENTS AND VULNERABILITIES IN E-COMMERCE SYSTEMS.
           7. 21.7 SUMMARY.
           8. 21.8 FURTHER READING
           9. 21.9 NOTES
       11. CHAPTER 22: PHYSICAL THREATS TO THE INFORMATION INFRASTRUCTURE
           1. 22.1 INTRODUCTION.
           2. 22.2 BACKGROUND AND PERSPECTIVE.
           3. 22.3 THREAT ASSESSMENT PROCESS.
           4. 22.4 GENERAL THREATS.
           5. 22.5 WORKPLACE VIOLENCE AND TERRORISM.
           6. 22.6 OTHER THREAT SITUATIONS
           7. 22.7 CONFIDENTIAL THREAT INFORMATION.
           8. 22.8 SUMMARY.
           9. 22.9 FURTHER READING
           10. 22.10 NOTES
   11. INTRODUCTION TO PART III: PREVENTION: TECHNICAL DEFENSES
       1. CHAPTER 23: PROTECTING THE INFORMATION INFRASTRUCTURE
          1. 23.1 INTRODUCTION.
          2. 23.2 SECURITY PLANNING AND MANAGEMENT.
          3. 23.3 STRATEGIC PLANNING PROCESS.
          4. 23.4 ELEMENTS OF GOOD PROTECTION.
          5. 23.5 OTHER CONSIDERATIONS.
          6. 23.6 ACCESS CONTROL.
          7. 23.7 SURVEILLANCE SYSTEMS.
          8. 23.8 OTHER DESIGN CONSIDERATIONS.
          9. 23.9 MITIGATING SPECIFIC THREATS.
          10. 23.10 INFORMATION NOT PUBLICLY AVAILABLE.
          11. 23.11 COMPLETING THE SECURITY PLANNING PROCESS.
          12. 23.12 SUMMARY AND CONCLUSIONS.
          13. 23.13 FURTHER READING
          14. 23.14 NOTES
       2. CHAPTER 24: OPERATING SYSTEM SECURITY
          1. 24.1 INFORMATION PROTECTION AND SECURITY.
          2. 24.2 REQUIREMENTS FOR OPERATING SYSTEM SECURITY
          3. 24.3 PROTECTION MECHANISMS.
          4. 24.4 FILE SHARING.
          5. 24.5 TRUSTED SYSTEMS.
          6. 24.6 WINDOWS 2000 SECURITY.
          7. 24.7 FURTHER READING
          8. 24.8 NOTES
       3. CHAPTER 25: LOCAL AREA NETWORKS
          1. 25.1 INTRODUCTION.
          2. 25.2 POLICY AND PROCEDURE ISSUES.
          3. 25.3 PHYSICAL SITE SECURITY.
          4. 25.4 PHYSICAL LAYER ISSUES.
          5. 25.5 NETWORK OPERATING SYSTEM ISSUES.
          6. 25.6 CONCLUSION.
          7. 25.7 FURTHER READING
          8. 25.8 NOTES
       4. CHAPTER 26: GATEWAY SECURITY DEVICES
          1. 26.1 INTRODUCTION.
          2. 26.2 HISTORY AND BACKGROUND.
          3. 26.3 NETWORK SECURITY MECHANISMS.
          4. 26.4 DEPLOYMENT.
          5. 26.5 NETWORK SECURITY DEVICE EVALUATION.
          6. 26.6 CONCLUDING REMARKS.
          7. 26.7 FURTHER READING
       5. CHAPTER 27: INTRUSION DETECTION AND INTRUSION PREVENTION DEVICES
          1. 27.1 SECURITY BEHIND THE FIREWALL.
          2. 27.2 MAIN CONCEPTS.
          3. 27.3 INTRUSION PREVENTION.
          4. 27.4 INFORMATION SOURCES.
          5. 27.5 ANALYSIS SCHEMES.
          6. 27.6 RESPONSE.
          7. 27.7 NEEDS ASSESSMENT AND PRODUCT SELECTION.
          8. 27.8 CONCLUSION.
          9. 27.9 FURTHER READING
          10. 27.10 NOTES
       6. CHAPTER 28: IDENTIFICATION AND AUTHENTICATION
          1. 28.1 INTRODUCTION.
          2. 28.2 FOUR PRINCIPLES OF AUTHENTICATION.
          3. 28.3 PASSWORD-BASED AUTHENTICATION.
          4. 28.4 TOKEN-BASED AUTHENTICATION.
          5. 28.5 BIOMETRIC AUTHENTICATION.
          6. 28.6 CROSS-DOMAIN AUTHENTICATION.
          7. 28.7 RELATIVE COSTS OF AUTHENTICATION TECHNOLOGIES.
          8. 28.8 CONCLUDING REMARKS.
          9. 28.9 SUMMARY.
          10. 28.10 FURTHER READING
          11. 28.11 NOTES
       7. CHAPTER 29: BIOMETRIC AUTHENTICATION
          1. 29.1 INTRODUCTION.
          2. 29.2 IMPORTANCE OF IDENTIFICATION AND VERIFICATION.
          3. 29.3 FUNDAMENTALS AND APPLICATIONS.
          4. 29.4 TYPES OF BIOMETRIC TECHNOLOGIES.
          5. 29.5 TYPES OF ERRORS AND SYSTEM METRICS.
          6. 29.6 DISADVANTAGES AND PROBLEMS
          7. 29.7 RECENT TRENDS IN BIOMETRIC AUTHENTICATION
          8. 29.8 SUMMARY AND RECOMMENDATIONS.
          9. 29.9 FURTHER READING
          10. 29.10 NOTES
       8. CHAPTER 30: E-COMMERCE AND WEB SERVER SAFEGUARDS
          1. 30.1 INTRODUCTION.
          2. 30.2 BUSINESS POLICIES AND STRATEGIES.
          3. 30.3 RULES OF ENGAGEMENT.
          4. 30.4 RISK ANALYSIS.
          5. 30.5 OPERATIONAL REQUIREMENTS.
          6. 30.6 TECHNICAL ISSUES.
          7. 30.7 ETHICAL AND LEGAL ISSUES.
          8. 30.8 SUMMARY.
          9. 30.9 FURTHER READING
          10. 30.10 NOTES
       9. CHAPTER 31: WEB MONITORING AND CONTENT FILTERING
          1. 31.1 INTRODUCTION.
          2. 31.2 SOME TERMINOLOGY
          3. 31.3 MOTIVATION.
          4. 31.4 GENERAL TECHNIQUES.
          5. 31.5 IMPLEMENTATION.
          6. 31.6 ENFORCEMENT.
          7. 31.7 VULNERABILITIES.
          8. 31.8 THE FUTURE.
          9. 31.9 SUMMARY.
          10. 31.10 FURTHER READING
          11. 31.11 NOTES
       10. CHAPTER 32: VIRTUAL PRIVATE NETWORKS AND SECURE REMOTE ACCESS
           1. 32.1 INTRODUCTION.
           2. 32.2 SECURE CLIENT VPNs.
           3. 32.3 TRUSTED VPNs.
           4. 32.4 EXTRANETS.
           5. 32.5 CONCLUSION.
           6. 32.6 FURTHER READING
       11. CHAPTER 33: 802.11 WIRELESS LAN SECURITY
           1. 33.1 INTRODUCTION.
           2. 33.2 802.11 ARCHITECTURE AND PRODUCT TYPES.
           3. 33.3 WIRELESS LAN SECURITY THREATS.
           4. 33.4 ORIGINAL 802.11 SECURITY FUNCTIONALITY.
           5. 33.5 IEEE 802.11I.
           6. 33.6 802.11 SECURITY AUDITING TOOLS.
           7. 33.7 CONCLUSION.
           8. 33.8 APPENDIX 33A–802.11 STANDARDS.
           9. 33.9 APPENDIX 33B: ABBREVIATIONS, TERMINOLOGY, AND DEFINITIONS.
           10. 33.10 FURTHER READING
           11. 33.11 NOTES
       12. CHAPTER 34: SECURING VOIP
           1. 34.1 INTRODUCTION.
           2. 34.2 REGULATORY COMPLIANCE AND RISK ANALYSIS.
           3. 34.3 TECHNICAL ASPECTS OF VOIP SECURITY.
           4. 34.4 PROTECTING THE INFRASTRUCTURE.
           5. 34.5 ENCRYPTION.
           6. 34.6 CONCLUDING REMARKS.
           7. 34.7 FURTHER READING
           8. 34.8 NOTES
       13. CHAPTER 35: SECURING P2P, IM, SMS, AND COLLABORATION TOOLS
           1. 35.1 INTRODUCTION.
           2. 35.2 GENERAL CONCEPTS AND DEFINITIONS.
           3. 35.3 PEER-TO-PEER NETWORKS.
           4. 35.4 SECURING INSTANT MESSAGING.
           5. 35.5 SECURING SMS.
           6. 35.6 SECURING COLLABORATION TOOLS.
           7. 35.7 CONCLUDING REMARKS.
           8. 35.8 FURTHER READING
           9. 35.9 NOTES
       14. CHAPTER 36: SECURING STORED DATA
           1. 36.1 INTRODUCTION TO SECURING STORED DATA.
           2. 36.2 FIBER CHANNEL WEAKNESS AND EXPLOITS.
           3. 36.3 NFS WEAKNESS AND EXPLOITS.
           4. 36.4 CIFS EXPLOITS.
           5. 36.5 ENCRYPTION.
           6. 36.6 DATA DISPOSAL.
           7. 36.7 CONCLUDING REMARKS.
           8. 36.8 FURTHER READING
           9. 36.9 NOTES
       15. CHAPTER 37: PKI AND CERTIFICATE AUTHORITIES
           1. 37.1 INTRODUCTION.
           2. 37.2 NEED FOR PUBLIC KEY INFRASTRUCTURE.
           3. 37.3 PUBLIC KEY CERTIFICATE.
           4. 37.4 ENTERPRISE PUBLIC KEY INFRASTRUCTURE.
           5. 37.5 CERTIFICATE POLICY.
           6. 37.6 GLOBAL PUBLIC KEY INFRASTRUCTURE.
           7. 37.7 FORMS OF REVOCATION.
           8. 37.8 REKEY.
           9. 37.9 KEY RECOVERY.
           10. 37.10 PRIVILEGE MANAGEMENT.
           11. 37.11 TRUSTED ARCHIVAL SERVICES AND TRUSTED TIME STAMPS.
           12. 37.12 COST OF PUBLIC KEY INFRASTRUCTURE.
           13. 37.13 FURTHER READING
           14. 37.14 NOTES
       16. CHAPTER 38: WRITING SECURE CODE
           1. 38.1 INTRODUCTION.
           2. 38.2 POLICY AND MANAGEMENT ISSUES.
           3. 38.3 TECHNICAL AND PROCEDURAL ISSUES.
           4. 38.4 TYPES OF SOFTWARE ERRORS.
           5. 38.5 ASSURANCE TOOLS AND TECHNIQUES.
           6. 38.6 CONCLUDING REMARKS.
           7. 38.7 FURTHER READING
       17. CHAPTER 39: SOFTWARE DEVELOPMENT AND QUALITY ASSURANCE
           1. 39.1 INTRODUCTION.
           2. 39.2 GOALS OF SOFTWARE QUALITY ASSURANCE.
           3. 39.3 SOFTWARE DEVELOPMENT LIFE CYCLE.
           4. 39.4 TYPES OF SOFTWARE ERRORS
           5. 39.5 DESIGNING SOFTWARE TEST CASES
           6. 39.6 BEFORE GOING INTO PRODUCTION
           7. 39.7 MANAGING CHANGE.
           8. 39.8 SOURCES OF BUGS AND PROBLEMS.
           9. 39.9 CONCLUSION.
           10. 39.10 FURTHER READING
       18. CHAPTER 40: MANAGING SOFTWARE PATCHES AND VULNERABILITIES
           1. 40.1 INTRODUCTION.
           2. 40.2 MOTIVATION FOR USING AUTOMATED PATCHING SOLUTIONS.
           3. 40.3 PATCH AND VULNERABILITY MANAGEMENT PROCESS.
           4. 40.4 PATCH AND VULNERABILITY MANAGEMENT ISSUES.
           5. 40.5 CONCLUSION AND SUMMARY OF MAJOR RECOMMENDATIONS.
           6. 40.6 FURTHER READING
           7. 40.7 NOTES
       19. CHAPTER 41: ANTIVIRUS TECHNOLOGY
           1. 41.1 INTRODUCTION.
           2. 41.2 HISTORY OF VIRAL CHANGES.
           3. 41.3 ANTIVIRUS BASICS.
           4. 41.4 SCANNING METHODOLOGIES.
           5. 41.5 CONTENT FILTERING.
           6. 41.6 ANTIVIRUS DEPLOYMENT.
           7. 41.7 POLICIES AND STRATEGIES.
           8. 41.8 CONCLUDING REMARKS.
           9. 41.9 FURTHER READING
           10. 41.10 NOTE
       20. CHAPTER 42: PROTECTING DIGITAL RIGHTS: TECHNICAL APPROACHES
           1. 42.1 INTRODUCTION.
           2. 42.2 SOFTWARE-BASED ANTIPIRACY TECHNIQUES.
           3. 42.3 HARDWARE-BASED ANTIPIRACY TECHNIQUES.
           4. 42.4 DIGITAL RIGHTS MANAGEMENT.
           5. 42.5 PRIVACY-ENHANCING TECHNOLOGIES.
           6. 42.6 FUNDAMENTAL PROBLEMS.
           7. 42.7 SUMMARY.
           8. 42.8 GLOSSARY.
           9. 42.9 FURTHER READING
           10. 42.10 NOTES
2. Volume II: Computer Security Handbook
   1. Title Page
   2. Copyright
   3. Contents
   4. PREFACE
   5. ACKNOWLEDGMENTS
   6. INTRODUCTION TO PART IV: PREVENTION: HUMAN FACTORS
      1. CHAPTER 43: ETHICAL DECISION MAKING AND HIGH TECHNOLOGY
         1. 43.1 INTRODUCTION: THE ABCs OF COMPUTER ETHICS
         2. 43.2 AWARENESS.
         3. 43.3 BASICS.
         4. 43.4 CONSIDERATIONS.
         5. 43.5 CONCLUDING REMARKS.
         6. 43.6 FURTHER READING.
      2. CHAPTER 44: SECURITY POLICY GUIDELINES
         1. 44.1 INTRODUCTION.
         2. 44.2 TERMINOLOGY.
         3. 44.3 RESOURCES FOR POLICY WRITERS.
         4. 44.4 WRITING THE POLICIES.
         5. 44.5 ORGANIZING THE POLICIES.
         6. 44.6 PRESENTING THE POLICIES.
         7. 44.7 MAINTAINING POLICIES.
         8. 44.8 SUMMARY.
         9. 44.9 FURTHER READING
         10. 44.10 NOTES
      3. CHAPTER 45: EMPLOYMENT PRACTICES AND POLICIES
         1. 45.1 INTRODUCTION.
         2. 45.2 HIRING.
         3. 45.3 MANAGEMENT.
         4. 45.4 TERMINATION OF EMPLOYMENT.
         5. 45.5 SUMMARY.
         6. 45.6 FURTHER READING
         7. 45.7 NOTES
      4. CHAPTER 46: VULNERABILITY ASSESSMENT
         1. 46.1 SCOREKEEPER OF SECURITY MANAGEMENT.
         2. 46.2 TAXONOMY OF VULNERABILITY ASSESSMENT TECHNOLOGIES.
         3. 46.3 PENETRATION TESTING.
         4. 46.4 FURTHER READING
         5. 46.5 NOTES
      5. CHAPTER 47: OPERATIONS SECURITY AND PRODUCTION CONTROLS
         1. 47.1 INTRODUCTION.
         2. 47.2 OPERATIONS MANAGEMENT.
         3. 47.3 PROVIDING A TRUSTED OPERATING SYSTEM.
         4. 47.4 PROTECTION OF DATA
         5. 47.5 DATA VALIDATION.
         6. 47.6 CONCLUDING REMARKS.
         7. 47.7 FURTHER READING
         8. 47.8 NOTES
      6. CHAPTER 48: E-MAIL AND INTERNET USE POLICIES
         1. 48.1 INTRODUCTION.
         2. 48.2 DAMAGING THE REPUTATION OF THE ENTERPRISE.
         3. 48.3 THREATS TO PEOPLE AND SYSTEMS.
         4. 48.4 THREATS TO PRODUCTIVITY.
         5. 48.5 LEGAL LIABILITY.
         6. 48.6 RECOMMENDATIONS.
         7. 48.7 CONCLUDING REMARKS.
         8. 48.8 FURTHER READING
         9. 48.9 NOTES
      7. CHAPTER 49: IMPLEMENTING A SECURITY AWARENESS PROGRAM
         1. 49.1 INTRODUCTION.
         2. 49.2 AWARENESS AS A SURVIVAL TECHNIQUE.
         3. 49.3 CRITICAL SUCCESS FACTORS.
         4. 49.4 OBSTACLES AND OPPORTUNITIES.
         5. 49.5 APPROACH.
         6. 49.6 CONTENT.
         7. 49.7 TECHNIQUES AND PRINCIPLES.
         8. 49.8 TOOLS.
         9. 49.9 MEASUREMENT AND EVALUATION.
         10. 49.10 CONCLUSION.
         11. 49.11 GLOSSARY
         12. 49.12 FURTHER READING
         13. 49.13 NOTES
      8. CHAPTER 50: USING SOCIAL PSYCHOLOGY TO IMPLEMENT SECURITY POLICIES
         1. 50.1 INTRODUCTION.
         2. 50.2 RATIONALITY IS NOT ENOUGH.
         3. 50.3 BELIEFS AND ATTITUDES.
         4. 50.4 ENCOURAGING INITIATIVE.
         5. 50.5 GROUP BEHAVIOR.
         6. 50.6 TECHNOLOGICAL GENERATION GAPS.
         7. 50.7 SUMMARY OF RECOMMENDATIONS.
         8. 50.8 FURTHER READING
         9. 50.9 NOTES
      9. CHAPTER 51: SECURITY STANDARDS FOR PRODUCTS
         1. 51.1 INTRODUCTION.
         2. 51.2 NONSTANDARD PRODUCT ASSESSMENT ALTERNATIVES.
         3. 51.3 SECURITY ASSESSMENT STANDARDS FOR PRODUCTS.
         4. 51.4 STANDARDS FOR ASSESSING PRODUCT BUILDERS.
         5. 51.5 COMBINED PRODUCT AND PRODUCT BUILDER ASSESSMENT STANDARDS.
         6. 51.6 COMMON CRITERIA PARADIGM OVERVIEW.
         7. 51.7 DETAILS ABOUT THE COMMON CRITERIA STANDARD.
         8. 51.8 USING THE CC TO DEFINE SECURITY REQUIREMENTS AND SECURITY SOLUTIONS.
         9. 51.9 COMMON TEST METHODOLOGY FOR CC TESTS AND EVALUATIONS.
         10. 51.10 GLOBAL RECOGNITION OF CEM/CC-BASED ASSESSMENTS.
         11. 51.11 EXAMPLE NATIONAL SCHEME: CCEVS.
         12. 51.12 VALIDATED PROFILES AND PRODUCTS.
         13. 51.13 BENEFITS OF CC EVALUATION.
         14. 51.14 CONCLUDING REMARKS.
         15. 51.15 NOTES
   7. INTRODUCTION TO PART V: DETECTING SECURITY BREACHES
      1. CHAPTER 52: APPLICATION CONTROLS
         1. 52.1 PROTECTION IN APPLICATION DEVELOPMENT.
         2. 52.2 PROTECTING ONLINE FILES.
         3. 52.3 PROTECTING BATCH FILES
         4. 52.4 ENSURING THAT INFORMATION IN THE SYSTEM IS VALID.
         5. 52.5 CONCLUDING REMARKS.
         6. 52.6 FURTHER READING
         7. 52.7 NOTE
      2. CHAPTER 53: MONITORING AND CONTROL SYSTEMS
         1. 53.1 INTRODUCTION.
         2. 53.2 CHANGE AND SECURITY IMPLICATIONS
         3. 53.3 SYSTEM MODELS
         4. 53.4 TARGETS AND METHODS.
         5. 53.5 LOG MANAGEMENT
         6. 53.6 DATA AGGREGATION AND REDUCTION
         7. 53.7 NOTIFICATIONS AND REPORTING
         8. 53.8 MONITORING AND CONTROL CHALLENGES
         9. 53.9 SUMMARY.
         10. 53.10 REFERENCES
         11. 53.11 NOTES
      3. CHAPTER 54: SECURITY AUDITS, STANDARDS, AND INSPECTIONS
         1. 54.1 INTRODUCTION.
         2. 54.2 AUDITING STANDARDS.
         3. 54.3 SAS 70 AUDITS.
         4. 54.4 SARBANES-OXLEY
         5. 54.5 ADDRESSING MULTIPLE REGULATIONS FOR INFORMATION SECURITY.
         6. 54.6 TECHNICAL FRAMEWORKS FOR IT AUDITS.
         7. 54.7 FURTHER READING
         8. 54.8 NOTES
      4. CHAPTER 55: CYBER INVESTIGATION1
         1. 55.1 INTRODUCTION.
         2. 55.2 END-TO-END DIGITAL INVESTIGATION.
         3. 55.3 APPLYING THE FRAMEWORK AND EEDI.
         4. 55.4 USING EEDI AND THE FRAMEWORK.
         5. 55.5 MOTIVE, MEANS, AND OPPORTUNITY: PROFILING ATTACKERS.
         6. 55.6 SOME USEFUL TOOLS.
         7. 55.7 CONCLUDING REMARKS.
         8. 55.8 FURTHER READING
         9. 55.9 NOTES
   8. INTRODUCTION TO PART VI: RESPONSE AND REMEDIATION
      1. CHAPTER 56: COMPUTER SECURITY INCIDENT RESPONSE TEAMS1
         1. 56.1 OVERVIEW.
         2. 56.2 PLANNING THE TEAM.
         3. 56.3 SELECTING AND BUILDING THE TEAM.
         4. 56.4 PRINCIPLES UNDERLYING EFFECTIVE RESPONSE TO COMPUTER SECURITY INCIDENTS.
         5. 56.5 RESPONDING TO COMPUTER EMERGENCIES.
         6. 56.6 MANAGING THE CSIRT.
         7. 56.7 POSTINCIDENT ACTIVITIES.
         8. 56.8 CONCLUDING REMARKS.
         9. 56.9 FURTHER READING
         10. 56.10 NOTES
      2. CHAPTER 57: DATA BACKUPS AND ARCHIVES
         1. 57.1 INTRODUCTION.
         2. 57.2 MAKING BACKUPS.
         3. 57.3 BACKUP STRATEGIES.
         4. 57.4 DATA LIFE CYCLE MANAGEMENT.
         5. 57.5 SAFEGUARDING BACKUPS.
         6. 57.6 DISPOSAL.
         7. 57.7 COSTS.
         8. 57.8 OPTIMIZING FREQUENCY OF BACKUPS.
         9. 57.9 CONCLUDING REMARKS.
         10. 57.10 FURTHER READING
         11. 57.11 NOTES
      3. CHAPTER 58: BUSINESS CONTINUITY PLANNING
         1. 58.1 INTRODUCTION.
         2. 58.2 DEFINING THE GOALS.
         3. 58.3 PERFORMING A BUSINESS IMPACT ANALYSIS.
         4. 58.4 BUSINESS IMPACT ANALYSIS MATRIX ANALYSIS.
         5. 58.5 JUSTIFYING THE COSTS.
         6. 58.6 PLAN PRESENTATION.
         7. 58.7 CONCLUDING REMARKS.
         8. 58.8 FURTHER READING
      4. CHAPTER 59: DISASTER RECOVERY
         1. 59.1 INTRODUCTION.
         2. 59.2 IDENTIFYING THREATS AND DISASTER SCENARIOS.
         3. 59.3 DEVELOPING RECOVERY STRATEGIES.
         4. 59.4 DESIGNING RECOVERY TASKS.
         5. 59.5 IMPLEMENTATION AND READINESS.
         6. 59.6 CONCLUDING REMARKS.
         7. 59.7 FURTHER READING
      5. CHAPTER 60: INSURANCE RELIEF
         1. 60.1 INTRODUCTION.
         2. 60.2 INTELLECTUAL PROPERTY COVERAGE.
         3. 60.3 PROPERTY COVERAGE.
         4. 60.4 CRIME/FIDELITY COVERAGE.
         5. 60.5 E-COMMERCE POLICIES.
         6. 60.6 PRIVACY AND IDENTITY THEFT EXPOSURES.
         7. 60.7 CONCLUDING REMARKS.
         8. 60.8 FURTHER READING
         9. 60.9 NOTES
      6. CHAPTER 61: WORKING WITH LAW ENFORCEMENT
         1. 61.1 INTRODUCTION.
         2. 61.2 RELEVANT LAWS.
         3. 61.3 PLAN AHEAD.
         4. 61.4 MEMORANDUM OF AGREEMENT.
         5. 61.5 HANDLING EVIDENCE AND THE CHAIN OF CUSTODY.
         6. 61.6 ISSUES OF LIABILITY.
         7. 61.7 ASK LAW ENFORCEMENT TO GIVE BACK.
         8. 61.8 THE KNOCK AT THE DOOR.
         9. 61.9 KEEPING YOUR OPERATION RUNNING DURING AN INVESTIGATION.
         10. 61.10 NONELECTRONIC RECORDS AND THE INSIDER THREAT
         11. 61.11 INFORMATION SHARING (THE HUMAN FACTOR).
         12. 61.12 CONCLUSION.
         13. 61.13 FURTHER READING
         14. 61.14 NOTES
   9. INTRODUCTION TO PART VII: MANAGEMENT'S ROLE IN SECURITY
      1. CHAPTER 62: RISK ASSESSMENT AND RISK MANAGEMENT
         1. 62.1 INTRODUCTION TO RISK MANAGEMENT
         2. 62.2 OBJECTIVE OF A RISK ASSESSMENT.
         3. 62.3 LIMITATIONS OF QUESTIONNAIRES IN ASSESSING RISKS.
         4. 62.4 MODEL OF RISK.
         5. 62.5 RISK MITIGATION.
         6. 62.6 RISK ASSESSMENT TECHNIQUES.
         7. 62.7 SUMMARY.
         8. 62.8 FURTHER READING
         9. 62.9 NOTES
      2. CHAPTER 63: MANAGEMENT RESPONSIBILITIES AND LIABILITIES
         1. 63.1 INTRODUCTION.
         2. 63.2 RESPONSIBILITIES.
         3. 63.3 LIABILITIES.
         4. 63.4 COMPUTER MANAGEMENT FUNCTIONS.
         5. 63.5 SECURITY ADMINISTRATION.
         6. 63.6 CONCLUDING REMARKS.
         7. 63.7 FURTHER READING
         8. 63.8 NOTES
      3. CHAPTER 64: U.S. LEGAL AND REGULATORY SECURITY ISSUES
         1. 64.1 INTRODUCTION.
         2. 64.2 SARBANES-OXLEY ACT OF 2002.
         3. 64.3 GRAMM-LEACH-BLILEY ACT.
         4. 64.4 EXAMINATION PROCEDURES TO EVALUATE COMPLIANCE WITH GUIDELINES FOR SAFEGUARDING CUSTOMER INFORMATION.
         5. 64.5 CONCLUDING REMARKS.
         6. 64.6 FURTHER READING
         7. 64.7 NOTES
      4. CHAPTER 65: ROLE OF THE CISO
         1. 65.1 CISO AS CHANGE AGENT.
         2. 65.2 CISO AS STRATEGIST.
         3. 65.3 STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE.
         4. 65.4 SUMMARY OF ACTIONS.
         5. 65.5 RECOMMENDATIONS FOR SUCCESS FOR CISOs.
         6. 65.6 CONCLUDING REMARKS.
         7. 65.7 NOTES
      5. CHAPTER 66: DEVELOPING SECURITY POLICIES
         1. 66.1 INTRODUCTION.
         2. 66.2 COLLABORATING IN BUILDING SECURITY POLICIES.
         3. 66.3 PHASE 1: PRELIMINARY EVALUATION.
         4. 66.4 PHASE 2: MANAGEMENT SENSITIZATION.
         5. 66.5 PHASE 3: NEEDS ANALYSIS.
         6. 66.6 PHASE 4: POLICIES AND PROCEDURES.
         7. 66.7 PHASE 5: IMPLEMENTATION.
         8. 66.8 PHASE 6: MAINTENANCE.
         9. 66.9 CONCLUDING REMARKS.
         10. 66.10 NOTES
      6. CHAPTER 67: DEVELOPING CLASSIFICATION POLICIES FOR DATA
         1. 67.1 INTRODUCTION.
         2. 67.2 WHY DATA CLASSIFICATION IS PERFORMED.
         3. 67.3 DATA CLASSIFICATION'S ROLE IN INFORMATION SECURITY.
         4. 67.4 LEGAL REQUIREMENTS, COMPLIANCE STANDARDS, AND DATA CLASSIFICATION.
         5. 67.5 DESIGNING AND IMPLEMENTING DC.
         6. 67.6 CONCLUDING REMARKS.
         7. 67.7 NOTES
      7. CHAPTER 68: OUTSOURCING AND SECURITY
         1. 68.1 INTRODUCTION.
         2. 68.2 WHY OUTSOURCE?
         3. 68.3 CAN OUTSOURCING FAIL?
         4. 68.4 CONTROLLING THE RISKS.
         5. 68.5 OUTSOURCING SECURITY FUNCTIONS.
         6. 68.6 CONCLUDING REMARKS.
         7. 68.7 FURTHER READING
         8. 68.8 NOTES
   10. INTRODUCTION TO PART VIII: PUBLIC POLICY AND OTHER CONSIDERATIONS
       1. CHAPTER 69: PRIVACY IN CYBERSPACE: U.S. AND EUROPEAN PERSPECTIVES
          1. 69.1 INTRODUCTION: WORLDWIDE TRENDS.
          2. 69.2 EUROPEAN APPROACHES TO PRIVACY
          3. 69.3 UNITED STATES
          4. 69.4 COMPLIANCE MODELS.
          5. 69.5 FURTHER READING
          6. 69.6 NOTES
       2. CHAPTER 70: ANONYMITY AND IDENTITY IN CYBERSPACE
          1. 70.1 INTRODUCTION.
          2. 70.2 DEFINITIONS.
          3. 70.3 SOCIAL PSYCHOLOGY OF ANONYMITY.
          4. 70.4 BALANCING RIGHTS AND DUTIES.
          5. 70.5 SYSTEMS ANALYSIS OF ANONYMITY.
          6. 70.6 IMPLICATIONS AND DISCUSSION.
          7. 70.7 CONCLUDING REMARKS.
          8. 70.8 SUMMARY.
          9. 70.9 FURTHER READING
          10. 70.10 NOTES
       3. CHAPTER 71: MEDICAL RECORDS PROTECTION
          1. 71.1 INTRODUCTION.
          2. 71.2 INFORMATION AND INFORMATION TECHNOLOGY IN HEALTHCARE
          3. 71.3 INFORMATION PRIVACY AND SECURITY ARE IMPORTANT IN HEALTHCARE.
          4. 71.4 NONMEDICAL DRIVERS FOR HEALTHCARE INFORMATION PROTECTION.
          5. 71.5 UNITED STATES LAWS AND GOVERNMENT POLICIES.
          6. 71.6 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.
          7. 71.7 SUMMARY.
          8. 71.8 FURTHER READING
          9. 71.9 NOTES
       4. CHAPTER 72: LEGAL AND POLICY ISSUES OF CENSORSHIP AND CONTENT FILTERING
          1. 72.1 INTRODUCTION
          2. 72.2 U.S. CONTEXT: FIRST AMENDMENT RIGHTS.
          3. 72.3 PARENTAL INVOLVEMENT/RESPONSIBILITY.
          4. 72.4 SUMMARY.
          5. 72.5 FURTHER READING
          6. 72.6 NOTES
       5. CHAPTER 73: EXPERT WITNESSES AND THE DAUBERT CHALLENGE
          1. 73.1 INTRODUCTION.
          2. 73.2 DAUBERT .
          3. 73.3 WHETHER THE DAUBERT CHALLENGE IS APPLICABLE: REFINING DAUBERT .
          4. 73.4 DIVIDED WE FALL?
          5. 73.5 BEING THE BEST YOU CAN BE.
          6. 73.6 SUMMARY.
          7. 73.7 FURTHER READING
          8. 73.8 NOTES
       6. CHAPTER 74: PROFESSIONAL CERTIFICATION AND TRAINING IN INFORMATION ASSURANCE
          1. 74.1 BUILDING SKILLS THROUGH PROFESSIONAL EDUCATION.
          2. 74.2 INFORMATION SECURITY CERTIFICATIONS.
          3. 74.3 PREPARING FOR SECURITY CERTIFICATION EXAMINATIONS.
          4. 74.4 COMMERCIAL TRAINING IN INFORMATION ASSURANCE.
          5. 74.5 CONCLUDING REMARKS.
          6. 74.6 NOTES
       7. CHAPTER 75: UNDERGRADUATE AND GRADUATE EDUCATION IN INFORMATION ASSURANCE
          1. 75.1 INTRODUCTION.
          2. 75.2 U.S. INITIATIVES IN TRAINING AND EDUCATION OF INFORMATION ASSURANCE
          3. 75.3 DISTANCE LEARNING IN HIGHER EDUCATION
          4. 75.4 BUSINESS CONTINUITY MANAGEMENT.
          5. 75.5 CONCLUDING REMARKS.
          6. 75.6 NOTES
       8. CHAPTER 76: EUROPEAN GRADUATE WORK IN INFORMATION ASSURANCE AND THE BOLOGNA DECLARATION1
          1. 76.1 UNDERGRADUATE AND GRADUATE EDUCATION.
          2. 76.2 CONVERGENCE OF EDUCATIONAL PROGRAMS.
          3. 76.3 BACHELOR'S AND MASTER'S IN INFORMATION SECURITY.
          4. 76.4 COMPUTER SCIENCE: DOES IT ENCOMPASS INFORMATION SECURITY, ASSURANCE, AND SECURITY ASSURANCE?
          5. 76.5 BOLOGNA BACHELOR'S DEGREE.
          6. 76.6 MOVING FROM UNDERGRADUATE TO GRADUATE EDUCATION: BOLOGNA.
          7. 76.7 EXECUTIVE AND SPECIALIZED MASTER'S DEGREES.
          8. 76.8 SIMILARITIES AND DIFFERENCES: ARTS AND SCIENCE.
          9. 76.9 WHAT DO PROGRAMS IN INFORMATION SECURITY TEACH STUDENTS?
          10. 76.10 UNDERGRADUATE EDUCATION: POLYTECHNICS AND UNIVERSITY.
          11. 76.11 INFORMATION ASSURANCE: DEFINING THE TERRITORY.
          12. 76.12 TEACHING INFORMATION SECURITY: THE MALWARE EXAMPLE.
          13. 76.13 CONCLUSION OF EUROPEAN INITIATIVES OVERVIEW.
          14. 76.14 IMPLICATIONS FOR EDUCATION.
          15. 76.15 IMPLICATIONS FOR MANAGERS.
          16. 76.16 NOTES
       9. CHAPTER 77: THE FUTURE OF INFORMATION ASSURANCE1
          1. 77.1 INTRODUCTION
          2. 77.2 VIEW OF THE FUTURE.
          3. 77.3 FOUNDATIONS OF ASSURANCE
          4. 77.4 BEST PRACTICES FOR INCREASING ASSURANCE.
          5. 77.5 ASSURANCE-BASED RISK REDUCTION.
          6. 77.6 ILLUSTRATIVE APPLICATION: COMPUTER-AIDED VOTING.
          7. 77.7 CONCLUSIONS.
          8. 77.8 FURTHER READING
          9. 77.9 NOTES
3. INDEX