O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Elementary Information Security

Book Description

Comprehensive and accessible, Elementary Information Security covers the entire range of topics required for US government courseware certification NSTISSI 4013 and urges students analyze a variety of security problems while gaining experience with basic tools of the trade. Written for the one-term undergraduate course, the text emphasises both the technical and non-technical aspects of information security and uses practical examples and real-world assessment tools. Early chapters in the text discuss individual computers and small LANS, while later chapters deal with distributed site security and the Internet. Cryptographic topics follow the same progression, starting on a single computer and evolving to Internet-level connectivity. Mathematical concepts throughout the text are defined and tutorials with mathematical tools are provided to ensure students grasp the information at hand. Rather than emphasizing memorization, this text challenges students to learn how to analyze a variety of security problems and gain experience with the basic tools of this growing trade. Key Features: -Covers all topics required by the US government curriculum standard NSTISSI 4013. - Unlike other texts on the topic, the author goes beyond defining the math concepts and provides students with tutorials and practice with mathematical tools, making the text appropriate for a broad range of readers. - Problem Definitions describe a practical situation that includes a security dilemma. - Technology Introductions provide a practical explanation of security technology to be used in the specific chapters - Implementation Examples show the technology being used to enforce the security policy at hand - Residual Risks describe the limitations to the technology and illustrate various tasks against it. - Each chapter includes worked examples of techniques students will need to be successful in the course. For instance, there will be numerous examples of how to calculate the number of attempts needed to crack secret information in particular formats; PINs, passwords and encryption keys.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Chapter 1 Security from the Ground Up
    1. 1.1 The Security Landscape
      1. 1.1.1 Making Security Decisions
      2. 1.1.2 The Security Process
      3. 1.1.3 Continuous Improvement: A Basic Principle
    2. 1.2 Process Example: Bob’s Computer
    3. 1.3 Assets and Risk Assessment
      1. 1.3.1 What Are We Protecting?
      2. 1.3.2 Security Boundaries
      3. 1.3.3 Security Architecture
      4. 1.3.4 Risk Assessment Overview
    4. 1.4 Identifying Risks
      1. 1.4.1 Threat Agents
      2. 1.4.2 Security Properties, Services, and Attacks
    5. 1.5 Prioritizing Risks
      1. 1.5.1 Example: Risks to Alice’s Laptop
      2. 1.5.2 Other Risk-Assessment Processes
    6. 1.6 Ethical Issues in Security Analysis
      1. 1.6.1 Searching for Vulnerabilities
      2. 1.6.2 Sharing or Publishing Vulnerabilities
    7. 1.7 Security Example: Aircraft Hijacking
      1. 1.7.1 Hijacking: A High-Level Analysis
      2. 1.7.2 September 11, 2001
    8. 1.8 Resources
      1. 1.8.1 Review Questions
      2. 1.8.2 Exercises
  7. Chapter 2 Controlling a Computer
    1. 2.1 Computers and Programs
      1. 2.1.1 Input/Output
      2. 2.1.2 Program Execution
      3. 2.1.3 Procedures
    2. 2.2 Programs and Processes
      1. 2.2.1 Switching Between Processes
      2. 2.2.2 The Operating System
    3. 2.3 Buffer Overflow and the Morris Worm
      1. 2.3.1 The “Finger” Overflow
      2. 2.3.2 Security Alerts
    4. 2.4 Access Control Strategies
      1. 2.4.1 Puzzles and Patterns
      2. 2.4.2 Chain of Control: Another Basic Principle
    5. 2.5 Keeping Processes Separate
      1. 2.5.1 Sharing a Program
      2. 2.5.2 Sharing Data
    6. 2.6 Security Policy and Implementation
      1. 2.6.1 Analyzing Alice’s Risks
      2. 2.6.2 Constructing Alice’s Policy
      3. 2.6.3 Alice’s Security Controls
    7. 2.7 Security Plan: Process Protection
    8. 2.8 Resources
      1. 2.8.1 Review Questions
      2. 2.8.2 Exercises
  8. Chapter 3 Controlling Files
    1. 3.1 The File System
      1. 3.1.1 File Ownership and Access Rights
      2. 3.1.2 Directory Access Rights
    2. 3.2 Executable Files
      1. 3.2.1 Execution Access Rights
      2. 3.2.2 Computer Viruses
      3. 3.2.3 Macro Viruses
      4. 3.2.4 Modern Malware: A Rogue’s Gallery
    3. 3.3 Sharing and Protecting Files
      1. 3.3.1 Policies for Sharing and Protection
    4. 3.4 Security Controls for Files
      1. 3.4.1 Deny by Default: A Basic Principle
      2. 3.4.2 Managing Access Rights
      3. 3.4.3 Capabilities
    5. 3.5 File Security Controls
      1. 3.5.1 File Permission Flags
      2. 3.5.2 Security Controls to Enforce Bob’s Policy
      3. 3.5.3 States and State Diagrams
    6. 3.6 Patching Security Flaws
    7. 3.7 Process Example: The Horse
      1. 3.7.1 Troy: A High-Level Analysis
      2. 3.7.2 Analyzing the Security Failure
    8. 3.8 Resources
      1. 3.8.1 Review Questions
      2. 3.8.2 Exercises
  9. Chapter 4 Sharing Files
    1. 4.1 Controlled Sharing
      1. 4.1.1 Basic File Sharing on Windows
      2. 4.1.2 User Groups
      3. 4.1.3 Least Privilege and Administrative Users
    2. 4.2 File Permission Flags
      1. 4.2.1 Permission Flags and Ambiguities
      2. 4.2.2 Permission Flag Examples
    3. 4.3 Access Control Lists
      1. 4.3.1 POSIX ACLs
      2. 4.3.2 Macintosh OS-X ACLs
    4. 4.4 Microsoft Windows ACLs
      1. 4.4.1 Denying Access
      2. 4.4.2 Default File Protection
    5. 4.5 A Different Trojan Horse
    6. 4.6 Phase Five: Monitoring the System
      1. 4.6.1 Logging Events
      2. 4.6.2 External Security Requirements
    7. 4.7 Resources
      1. 4.7.1 Review Questions
      2. 4.7.2 Exercises
  10. Chapter 5 Storing Files
    1. 5.1 Phase Six: Recovery
      1. 5.1.1 The Aftermath of an Incident
      2. 5.1.2 Legal Disputes
    2. 5.2 Digital Evidence
      1. 5.2.1 Collecting Legal Evidence
      2. 5.2.2 Digital Evidence Procedures
    3. 5.3 Storing Data on a Hard Drive
      1. 5.3.1 Hard Drive Controller
      2. 5.3.2 Hard Drive Formatting
      3. 5.3.3 Error Detection and Correction
      4. 5.3.4 Hard Drive Partitions
      5. 5.3.5 Memory Sizes and Address Variables
    4. 5.4 FAT: An Example File System
      1. 5.4.1 Boot Blocks
      2. 5.4.2 Building Files from Clusters
      3. 5.4.3 FAT Directories
    5. 5.5 Modern File Systems
      1. 5.5.1 Unix File System
      2. 5.5.2 Apple’s HFS Plus
      3. 5.5.3 Microsoft’s NTFS
    6. 5.6 Input/Output and File System Software
      1. 5.6.1 Software Layering
      2. 5.6.2 A Typical I/O Operation
      3. 5.6.3 Security and I/O
    7. 5.7 Resources
      1. 5.7.1 Review Questions
      2. 5.7.2 Exercises
  11. Chapter 6 Authenticating People
    1. 6.1 Unlocking a Door
      1. 6.1.1 Authentication Factors
      2. 6.1.2 Threats and Risks
    2. 6.2 Evolution of Password Systems
      1. 6.2.1 One-Way Hash Functions
      2. 6.2.2 Sniffing Credentials
    3. 6.3 Password Guessing
      1. 6.3.1 Password Search Space
      2. 6.3.2 Truly Random Password Selection
      3. 6.3.3 Cracking Speeds
    4. 6.4 Attacks on Password Bias
      1. 6.4.1 Biased Choices and Average Attack Space
      2. 6.4.2 Estimating Language-Based Password Bias
    5. 6.5 Authentication Tokens
      1. 6.5.1 Challenge-Response Authentication
      2. 6.5.2 One-Time Password Tokens
      3. 6.5.3 Token Vulnerabilities
    6. 6.6 Biometric Authentication
      1. 6.6.1 Biometric Accuracy
      2. 6.6.2 Biometric Vulnerabilities
    7. 6.7 Authentication Policy
      1. 6.7.1 Weak and Strong Threats
      2. 6.7.2 Policies for Weak Threat Environments
      3. 6.7.3 Policies for Strong and Extreme Threats
      4. 6.7.4 Password Selection and Handling
    8. 6.8 Resources
      1. 6.8.1 Review Questions
      2. 6.8.2 Exercises
  12. Chapter 7 Encrypting Files
    1. 7.1 Protecting the Accessible
      1. 7.1.1 Process Example: The Encrypted Diary
      2. 7.1.2 Encryption Basics
      3. 7.1.3 Encryption and Information States
    2. 7.2 Encryption and Cryptanalysis
      1. 7.2.1 The Vigenère Cipher
      2. 7.2.2 Electromechanical Encryption
    3. 7.3 Computer-Based Encryption
      1. 7.3.1 Exclusive Or: A Crypto Building Block
      2. 7.3.2 Stream Ciphers: Another Building Block
      3. 7.3.3 Key Stream Security
      4. 7.3.4 The One-Time Pad
    4. 7.4 File Encryption Software
      1. 7.4.1 Built-In File Encryption
      2. 7.4.2 Encryption Application Programs
      3. 7.4.3 Erasing a Plaintext File
      4. 7.4.4 Choosing a File Encryption Program
    5. 7.5 Digital Rights Management
    6. 7.6 Resources
      1. 7.6.1 Review Questions
      2. 7.6.2 Exercises
  13. Chapter 8 Secret and Public Keys
    1. 8.1 The Key Management Challenge
      1. 8.1.1 Rekeying
      2. 8.1.2 Using Text for Encryption Keys
      3. 8.1.3 Key Strength
    2. 8.2 The Reused Key Stream Problem
      1. 8.2.1 Avoiding Reused Keys
      2. 8.2.2 Key Wrapping: Another Building Block
      3. 8.2.3 Separation of Duty: A Basic Principle
      4. 8.2.4 DVD Key Handling
    3. 8.3 Public-Key Cryptography
      1. 8.3.1 Sharing a Secret: Diffie-Hellman
      2. 8.3.2 Diffie-Hellman: The Basics of the Math
      3. 8.3.3 Elliptic Curve Cryptography
    4. 8.4 RSA: Rivest-Shamir-Adleman
      1. 8.4.1 Encapsulating Keys with RSA
      2. 8.4.2 An Overview of RSA Mathematics
    5. 8.5 Data Integrity and Digital Signatures
      1. 8.5.1 Detecting Malicious Changes
      2. 8.5.2 Detecting a Changed Hash Value
      3. 8.5.3 Digital Signatures
    6. 8.6 Publishing Public Keys
      1. 8.6.1 Public-Key Certificates
      2. 8.6.2 Chains of Certificates
      3. 8.6.3 Authenticated Software Updates
    7. 8.7 Resources
      1. 8.7.1 Review Questions
      2. 8.7.2 Exercises
  14. Chapter 9 Encrypting Volumes
    1. 9.1 Securing a Volume
      1. 9.1.1 Risks to Volumes
      2. 9.1.2 Risks and Policy Trade-Offs
    2. 9.2 Block Ciphers
      1. 9.2.1 Evolution of DES and AES
      2. 9.2.2 The RC4 Story
      3. 9.2.3 Qualities of Good Encryption Algorithms
    3. 9.3 Block Cipher Modes
      1. 9.3.1 Stream Cipher Modes
      2. 9.3.2 Cipher Feedback Mode
      3. 9.3.3 Cipher Block Chaining
    4. 9.4 Encrypting a Volume
      1. 9.4.1 Volume Encryption in Software
      2. 9.4.2 Adapting an Existing Mode
      3. 9.4.3 A “Tweakable” Encryption Mode
      4. 9.4.4 Residual Risks
    5. 9.5 Encryption in Hardware
      1. 9.5.1 The Drive Controller
      2. 9.5.2 Drive Locking and Unlocking
    6. 9.6 Managing Encryption Keys
      1. 9.6.1 Key Storage
      2. 9.6.2 Booting an Encrypted Drive
      3. 9.6.3 Residual Risks to Keys
    7. 9.7 Resources
      1. 9.7.1 Review Questions
      2. 9.7.2 Exercises
  15. Chapter 10 Connecting Computers
    1. 10.1 The Network Security Problem
      1. 10.1.1 Basic Network Attacks and Defenses
      2. 10.1.2 Physical Network Protection
      3. 10.1.3 Host and Network Integrity
    2. 10.2 Transmitting Information
      1. 10.2.1 Message Switching
      2. 10.2.2 Circuit Switching
      3. 10.2.3 Packet Switching
    3. 10.3 Putting Bits on a Wire
      1. 10.3.1 Wireless Transmission
      2. 10.3.2 Transmitting Packets
      3. 10.3.3 Recovering a Lost Packet
    4. 10.4 Ethernet: A Modern LAN
      1. 10.4.1 Wiring a Small Network
      2. 10.4.2 Ethernet Frame Format
      3. 10.4.3 Finding Host Addresses
      4. 10.4.4 Handling Collisions
    5. 10.5 The Protocol Stack
      1. 10.5.1 Relationships Between Layers
      2. 10.5.2 The OSI Protocol Model
    6. 10.6 Network Applications
      1. 10.6.1 Resource Sharing
      2. 10.6.2 Data and File Sharing
    7. 10.7 Resources
      1. 10.7.1 Review Questions
      2. 10.7.2 Exercises
  16. Chapter 11 Networks of Networks
    1. 11.1 Building Information Networks
      1. 11.1.1 Point-to-Point Network
      2. 11.1.2 Star Network
      3. 11.1.3 Bus Network
      4. 11.1.4 Tree Network
      5. 11.1.5 Mesh
    2. 11.2 Combining Computer Networks
      1. 11.2.1 Hopping Between Networks
      2. 11.2.2 Evolution of Internet Security
      3. 11.2.3 Internet Structure
    3. 11.3 Talking Between Hosts
      1. 11.3.1 IP Addresses
      2. 11.3.2 IP Packet Format
      3. 11.3.3 Address Resolution Protocol
    4. 11.4 Internet Addresses in Practice
      1. 11.4.1 Addresses, Scope, and Reachability
      2. 11.4.2 Private IP Addresses
    5. 11.5 Network Inspection Tools
      1. 11.5.1 Wireshark Examples
      2. 11.5.2 Mapping a LAN with Nmap
    6. 11.6 Resources
      1. 11.6.1 Review Questions
      2. 11.6.2 Exercises
  17. Chapter 12 End-to-End Networking
    1. 12.1 “Smart” Versus “Dumb” Networks
    2. 12.2 Internet Transport Protocols
      1. 12.2.1 Transmission Control Protocol
      2. 12.2.2 Attacks on Protocols
    3. 12.3 Names on the Internet
      1. 12.3.1 Domain Names in Practice
      2. 12.3.2 Looking Up Names
      3. 12.3.3 DNS Protocol
      4. 12.3.4 Investigating Domain Names
      5. 12.3.5 Attacking DNS
    4. 12.4 Internet Gateways and Firewalls
      1. 12.4.1 Network Address Translation
      2. 12.4.2 Filtering and Connectivity
      3. 12.4.3 Software-Based Firewalls
    5. 12.5 Long-Distance Networking
      1. 12.5.1 Older Technologies
      2. 12.5.2 Mature Technologies
      3. 12.5.3 Evolving Technologies
    6. 12.6 Resources
      1. 12.6.1 Review Questions
      2. 12.6.2 Exercises
  18. Chapter 13 Enterprise Computing
    1. 13.1 The Challenge of Community
      1. 13.1.1 Companies and Information Control
      2. 13.1.2 Enterprise Risks
      3. 13.1.3 Social Engineering
    2. 13.2 Management Process
      1. 13.2.1 Security Management Standards
      2. 13.2.2 Deployment Policy Directives
      3. 13.2.3 Management Hierarchies and Delegation
      4. 13.2.4 Managing Information Resources
      5. 13.2.5 Security Audits
      6. 13.2.6 Information Security Professionals
    3. 13.3 Enterprise Issues
      1. 13.3.1 Personnel Security
      2. 13.3.2 Physical Security
      3. 13.3.3 Software Security
    4. 13.4 Enterprise Network Authentication
      1. 13.4.1 Direct Authentication
      2. 13.4.2 Indirect Authentication
      3. 13.4.3 Off-Line Authentication
    5. 13.5 Contingency Planning
      1. 13.5.1 Data Backup and Restoration
      2. 13.5.2 Handling Serious Incidents
      3. 13.5.3 Disaster Preparation and Recovery
    6. 13.6 Resources
      1. 13.6.1 Review Questions
      2. 13.6.2 Exercises
  19. Chapter 14 Network Encryption
    1. 14.1 Communications Security
      1. 14.1.1 Crypto by Layers
      2. 14.1.2 Administrative and Policy Issues
    2. 14.2 Crypto Keys on a Network
      1. 14.2.1 Manual Keying: A Building Block
      2. 14.2.2 Simple Rekeying
      3. 14.2.3 Secret-Key Building Blocks
      4. 14.2.4 Public-Key Building Blocks
      5. 14.2.5 Public-Key Versus Secret-Key Exchanges
    3. 14.3 Crypto Atop the Protocol Stack
      1. 14.3.1 Transport Layer Security—SSL and TLS
      2. 14.3.2 SSL Handshake Protocol
      3. 14.3.3 SSL Record Transmission
    4. 14.4 Network Layer Cryptography
      1. 14.4.1 The Encapsulating Security Payload
      2. 14.4.2 Implementing a VPN
      3. 14.4.3 Internet Key Exchange Protocol
    5. 14.5 Link Encryption on 802.11 Wireless
      1. 14.5.1 Wireless Packet Protection
      2. 14.5.2 Security Associations
    6. 14.6 Encryption Policy Summary
    7. 14.7 Resources
      1. 14.7.1 Review Questions
      2. 14.7.2 Exercises
  20. Chapter 15 Internet Services and Email
    1. 15.1 Internet Services
    2. 15.2 Internet Email
      1. 15.2.1 Email Protocol Standards
      2. 15.2.2 Tracking an Email
      3. 15.2.3 Forging an Email Message
    3. 15.3 Email Security Problems
      1. 15.3.1 Spam
      2. 15.3.2 Phishing
      3. 15.3.3 Email Viruses and Hoaxes
    4. 15.4 Enterprise Firewalls
      1. 15.4.1 Controlling Internet Traffic
      2. 15.4.2 Traffic-Filtering Mechanisms
      3. 15.4.3 Implementing Firewall Rules
    5. 15.5 Enterprise Point of Presence
      1. 15.5.1 POP Topology
      2. 15.5.2 Attacking an Enterprise Site
      3. 15.5.3 The Challenge of Real-Time Media
    6. 15.6 Resources
      1. 15.6.1 Review Questions
      2. 15.6.2 Exercises
  21. Chapter 16 The World Wide Web
    1. 16.1 Hypertext Fundamentals
      1. 16.1.1 Addressing Web Pages
      2. 16.1.2 Retrieving a Static Web Page
    2. 16.2 Basic Web Security
      1. 16.2.1 Static Website Security
      2. 16.2.2 Server Authentication
      3. 16.2.3 Server Masquerades
    3. 16.3 Dynamic Websites
      1. 16.3.1 Scripts on the Web
      2. 16.3.2 States and HTTP
    4. 16.4 Content Management Systems
      1. 16.4.1 Database Management Systems
      2. 16.4.2 Password Checking: A CMS Example
      3. 16.4.3 Command Injection Attacks
    5. 16.5 Ensuring Web Security Properties
      1. 16.5.1 Web Availability
      2. 16.5.2 Web Privacy
    6. 16.6 Resources
      1. 16.6.1 Review Questions
      2. 16.6.2 Exercises
  22. Chapter 17 Governments and Secrecy
    1. 17.1 Secrecy in Government
      1. 17.1.1 The Challenge of Secrecy
      2. 17.1.2 Information Security and Operations
    2. 17.2 Classifications and Clearances
      1. 17.2.1 Security Labeling
      2. 17.2.2 Security Clearances
      3. 17.2.3 Classification Levels in Practice
      4. 17.2.4 Compartments and Other Special Controls
    3. 17.3 National Policy Issues
      1. 17.3.1 Facets of National System Security
      2. 17.3.2 Security Planning
      3. 17.3.3 Certification and Accreditation
    4. 17.4 Communications Security
      1. 17.4.1 Cryptographic Technology
      2. 17.4.2 Crypto Security Procedures
      3. 17.4.3 Transmission Security
    5. 17.5 Data Protection
      1. 17.5.1 Protected Wiring
      2. 17.5.2 TEMPEST
    6. 17.6 Trustworthy Systems
      1. 17.6.1 Integrity of Operations
      2. 17.6.2 Multilevel Security
      3. 17.6.3 Computer Modes of Operation
    7. 17.7 Resources
      1. 17.7.1 Review Questions
      2. 17.7.2 Exercises
  23. Appendix A Acronyms
  24. Appendix B Alternative Security Terms and Concepts
  25. Index
  26. Credits