book

Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

Name: Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition
Author: Bruce Schneier
ISBN: 9781119092438

by Bruce Schneier

March 2015

Intermediate to advanced

448 pages

12h 13m

English

Wiley

Read now

Unlock full access

Cover Page
Title Page
Copyright
Dedication
Contents
Foreword to 2015 15 th Anniversary Edition
Introduction from the Paperback Edition
Preface
About the Author
CHAPTER 1: Introduction
STEP ONE: ENFORCE LIABILITIESSTEP TWO: ALLOW PARTIES TO TRANSFER LIABILITIESSTEP THREE: PROVIDE MECHANISMS TO REDUCE RISKADDITIONAL BOOKSFURTHER READING

PART 1: THE LANDSCAPE
CHAPTER 2: Digital Threats
THE UNCHANGING NATURE OF ATTACKSTHE CHANGING NATURE OF ATTACKSPROACTION VS. REACTION
CHAPTER 3: Attacks
CRIMINAL ATTACKSPRIVACY VIOLATIONSPUBLICITY ATTACKSLEGAL ATTACKS
CHAPTER 4: Adversaries
HACKERSLONE CRIMINALSMALICIOUS INSIDERSINDUSTRIAL ESPIONAGEPRESSORGANIZED CRIMEPOLICETERRORISTSNATIONAL INTELLIGENCE ORGANIZATIONSINFOWARRIORS
CHAPTER 5: Security Needs
PRIVACYMULTILEVEL SECURITYANONYMITYPRIVACY AND THE GOVERNMENTAUTHENTICATIONINTEGRITYAUDITELECTRONIC CURRENCYPROACTIVE SOLUTIONS
PART 2: TECHNOLOGIES
CHAPTER 6: Cryptography
SYMMETRIC ENCRYPTIONTYPES OF CRYPTOGRAPHIC ATTACKSRECOGNIZING PLAINTEXTMESSAGE AUTHENTICATION CODESONE-WAY HASH FUNCTIONSPUBLIC-KEY ENCRYPTIONDIGITAL SIGNATURE SCHEMESRANDOM NUMBER GENERATORSKEY LENGTH
CHAPTER 7: Cryptography in Context
KEY LENGTH AND SECURITYONE-TIME PADSPROTOCOLSINTERNET CRYPTOGRAPHIC PROTOCOLSTYPES OF PROTOCOL ATTACKSCHOOSING AN ALGORITHM OR PROTOCOL
CHAPTER 8: Computer Security
DEFINITIONSACCESS CONTROLSECURITY MODELSSECURITY KERNELS AND TRUSTED COMPUTING BASESCOVERT CHANNELSEVALUATION CRITERIAFUTURE OF SECURE COMPUTERS
CHAPTER 9: Identification and Authentication
PASSWORDSBIOMETRICSACCESS TOKENSAUTHENTICATION PROTOCOLSSINGLE SIGN-ON
CHAPTER 10: Networked-Computer Security
MALICIOUS SOFTWAREMODULAR CODEMOBILE CODEWEB SECURITY
CHAPTER 11: Network Security
HOW NETWORKS WORKIP SECURITYDNS SECURITYDENIAL-OF-SERVICE ATTACKSDISTRIBUTED DENIAL-OF-SERVICE ATTACKSTHE FUTURE OF NETWORK SECURITY
CHAPTER 12: Network Defenses
FIREWALLSDEMILITARIZED ZONESVIRTUAL PRIVATE NETWORKSINTRUSION DETECTION SYSTEMSHONEY POTS AND BURGLAR ALARMSVULNERABILITY SCANNERSE-MAIL SECURITYENCRYPTION AND NETWORK DEFENSES
CHAPTER 13: Software Reliability
FAULTY CODEATTACKS ON FAULTY CODEBUFFER OVERFLOWSTHE UBIQUITY OF FAULTY CODE
CHAPTER 14: Secure Hardware
TAMPER RESISTANCESIDE-CHANNEL ATTACKSATTACKS AGAINST SMART CARDS
CHAPTER 15: Certificates and Credentials
TRUSTED THIRD PARTIESCREDENTIALSCERTIFICATESPROBLEMS WITH TRADITIONAL PKISPKIS ON THE INTERNET
CHAPTER 16: Security Tricks
GOVERNMENT ACCESS TO KEYSDATABASE SECURITYSTEGANOGRAPHYSUBLIMINAL CHANNELSDIGITAL WATERMARKINGCOPY PROTECTIONERASING DIGITAL INFORMATION
CHAPTER 17: The Human Factor
RISKEXCEPTION HANDLINGHUMAN–COMPUTER INTERFACEHUMAN–COMPUTER TRANSFERENCEMALICIOUS INSIDERSSOCIAL ENGINEERING
PART 3: STRATEGIES
CHAPTER 18: Vulnerabilities and the Vulnerability Landscape
ATTACK METHODOLOGYCOUNTERMEASURESTHE VULNERABILITY LANDSCAPERATIONALLY APPLYING COUNTERMEASURES
CHAPTER 19: Threat Modeling and Risk Assessment
FAIR ELECTIONSSECURE TELEPHONESSECURE E - MAILSTORED-VALUE SMART CARDSRISK ASSESSMENTTHE POINT OF THREAT MODELINGGETTING THE THREAT WRONG
CHAPTER 20: Security Policies and Countermeasures
SECURITY POLICIESTRUSTED CLIENT SOFTWAREAUTOMATIC TELLER MACHINESCOMPUTERIZED LOTTERY TERMINALSSMART CARDS VS. MEMORY CARDSRATIONAL COUNTERMEASURES
CHAPTER 21: Attack Trees
BASIC ATTACK TREESPGP ATTACK TREECREATING AND USING ATTACK TREES
CHAPTER 22: Product Testing and Verification
THE FAILURE OF TESTINGDISCOVERING SECURITY FLAWS AFTER THE FACTOPEN STANDARDS AND OPEN SOURCE SOLUTIONSREVERSE ENGINEERING AND THE LAWCRACKING AND HACKING CONTESTSEVALUATING AND CHOOSING SECURITY PRODUCTS
CHAPTER 23: The Future of Products
SOFTWARE COMPLEXITY AND SECURITYTECHNOLOGIES TO WATCHWILL WE EVER LEARN?
CHAPTER 24: Security Processes
PRINCIPLESDETECTION AND RESPONSECOUNTERATTACKMANAGE RISKOUTSOURCING SECURITY PROCESSES
CHAPTER 25: Conclusion
Afterword
Resources
Acknowledgments
Index

Content preview from Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

20 Security Policies and Countermeasures

Spend enough time doing threat modeling, and it becomes plain that the phrase “secure system” has different meanings depending on context. Some examples:

Business computers need to be secure against hackers, criminals, and industrial competitors. Military computers need to be secure against all those threats plus enemy militaries. Some business computers, those that run the telephone service are a good example, need to be secure against military threats as well.

Many urban transportation systems use prepaid farecards instead of cash. Similar prepaid phone card systems are used throughout Europe and Asia. These systems need to be secure against forgery in all of its forms. Of course, forgeries that cost the forgers more than legitimate use are not a problem.

E-mail security programs need to ensure that e-mail is secure against eavesdropping and alteration by any type of attacker. Of course, the program cannot protect against manipulation at the end points: a Trojan horse in the computer, a TEMPEST attack against the computer, a video camera that can read the screen, and so forth. Encrypted telephones are the same; they can secure the voice conversation in transit, but can do nothing about room bugs.

The trick is to design systems that are secure against the real threats, and not to haphazardly use security technologies with the belief that something good will come of it. The way to do that is to build a security policy (sometimes called ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide, 10th Edition

Publisher Resources

ISBN: 9781119092438Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

by Bruce Schneier

20

Security Policies and Countermeasures

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.