book

Security in Computing

by Shari Lawrence Pfleeger, Charles P. Pfleeger, Jonathan Margulies

January 2015

Intermediate to advanced

944 pages

33h 37m

English

Pearson

Read now

Unlock full access

Citations
Why Read This Book?Uses for and Users of This BookOrganization of This BookHow to Read This BookWhat Is New in This Book

1.1 What Is Computer Security?Values of AssetsThe Vulnerability–Threat–Control Paradigm1.2 ThreatsConfidentialityIntegrityAvailabilityTypes of ThreatsTypes of Attackers1.3 HarmRisk and Common SenseMethod–Opportunity–Motive1.4 Vulnerabilities1.5 Controls1.6 Conclusion1.7 What’s Next?1.8 Exercises
2.1 AuthenticationIdentification Versus AuthenticationAuthentication Based on Phrases and Facts: Something You KnowAuthentication Based on Biometrics: Something You AreAuthentication Based on Tokens: Something You HaveFederated Identity ManagementMultifactor AuthenticationSecure Authentication2.2 Access ControlAccess PoliciesImplementing Access ControlProcedure-Oriented Access ControlRole-Based Access Control2.3 CryptographyProblems Addressed by EncryptionTerminologyDES: The Data Encryption StandardAES: Advanced Encryption SystemPublic Key CryptographyPublic Key Cryptography to Exchange Secret KeysError Detecting CodesTrustCertificates: Trustable Identities and Public KeysDigital Signatures—All the Pieces2.4 Exercises
3.1 Unintentional (Nonmalicious) Programming OversightsBuffer OverflowIncomplete MediationTime-of-Check to Time-of-UseUndocumented Access PointOff-by-One ErrorInteger OverflowUnterminated Null-Terminated StringParameter Length, Type, and NumberUnsafe Utility ProgramRace Condition3.2 Malicious Code—MalwareMalware—Viruses, Trojan Horses, and WormsTechnical Details: Malicious Code
Countermeasures for UsersCountermeasures for DevelopersCountermeasure Specifically for SecurityCountermeasures that Don’t WorkConclusionExercises
4.1 Browser AttacksBrowser Attack TypesHow Browser Attacks Succeed: Failed Identification and Authentication4.2 Web Attacks Targeting UsersFalse or Misleading ContentMalicious Web ContentProtecting Against Malicious Web Pages4.3 Obtaining User or Website DataCode Within DataWebsite Data: A User’s Problem, TooFoiling Data Attacks4.4 Email AttacksFake EmailFake Email Messages as SpamFake (Inaccurate) Email Header DataPhishingProtecting Against Email Attacks4.5 Conclusion4.6 Exercises
5.1 Security in Operating SystemsBackground: Operating System StructureSecurity Features of Ordinary Operating SystemsA Bit of HistoryProtected ObjectsOperating System Tools to Implement Security Functions5.2 Security in the Design of Operating SystemsSimplicity of DesignLayered DesignKernelized DesignReference MonitorCorrectness and CompletenessSecure Design PrinciplesTrusted SystemsTrusted System FunctionsThe Results of Trusted Systems Research5.3 RootkitPhone RootkitRootkit Evades DetectionRootkit Operates UncheckedSony XCP RootkitTDSS RootkitsOther Rootkits5.4 Conclusion5.5 Exercises
6.1 Network ConceptsBackground: Network Transmission MediaBackground: Protocol LayersBackground: Addressing and RoutingPart I—War on Networks: Network Security Attacks6.2 Threats to Network CommunicationsInterception: Eavesdropping and WiretappingModification, Fabrication: Data CorruptionInterruption: Loss of ServicePort ScanningVulnerability Summary6.3 Wireless Network SecurityWiFi BackgroundVulnerabilities in Wireless NetworksFailed Countermeasure: WEP (Wired Equivalent Privacy)Stronger Protocol Suite: WPA (WiFi Protected Access)6.4 Denial of ServiceExample: Massive Estonian Web FailureHow Service Is DeniedFlooding Attacks in DetailNetwork Flooding Caused by Malicious CodeNetwork Flooding by Resource ExhaustionDenial of Service by Addressing FailuresTraffic RedirectionDNS AttacksExploiting Known VulnerabilitiesPhysical Disconnection
Scripted Denial-of-Service AttacksBotsBotnetsMalicious Autonomous Mobile AgentsAutonomous Mobile Protective AgentsPart II—Strategic Defenses: Security Countermeasures6.6 Cryptography in Network SecurityNetwork EncryptionBrowser EncryptionOnion RoutingIP Security Protocol Suite (IPsec)Virtual Private NetworksSystem Architecture6.7 FirewallsWhat Is a Firewall?Design of FirewallsTypes of FirewallsPersonal FirewallsComparison of Firewall TypesExample Firewall ConfigurationsNetwork Address Translation (NAT)Data Loss Prevention6.8 Intrusion Detection and Prevention SystemsTypes of IDSsOther Intrusion Detection TechnologyIntrusion Prevention SystemsIntrusion ResponseGoals for Intrusion Detection SystemsIDS Strengths and Limitations6.9 Network ManagementManagement to Ensure ServiceSecurity Information and Event Management (SIEM)6.10 Conclusion6.11 Exercises
7.1 Introduction to DatabasesConcept of a DatabaseComponents of DatabasesAdvantages of Using Databases7.2 Security Requirements of DatabasesIntegrity of the DatabaseElement IntegrityAuditabilityAccess ControlUser AuthenticationAvailabilityIntegrity/Confidentiality/Availability7.3 Reliability and IntegrityProtection Features from the Operating SystemTwo-Phase UpdateRedundancy/Internal ConsistencyRecoveryConcurrency/Consistency7.4 Database DisclosureSensitive DataTypes of DisclosuresPreventing Disclosure: Data Suppression and ModificationSecurity Versus Precision7.5 Data Mining and Big DataData MiningBig Data7.6 ConclusionExercises
8.1 Cloud Computing ConceptsService ModelsDeployment Models8.2 Moving to the CloudRisk AnalysisCloud Provider AssessmentSwitching Cloud ProvidersCloud as a Security Control8.3 Cloud Security Tools and TechniquesData Protection in the CloudCloud Application SecurityLogging and Incident Response8.4 Cloud Identity ManagementSecurity Assertion Markup LanguageOAuthOAuth for Authentication8.5 Securing IaaSPublic IaaS Versus Private Network Security8.6 ConclusionWhere the Field Is HeadedTo Learn More8.7 Exercises
9.1 Privacy ConceptsAspects of Information PrivacyComputer-Related Privacy Problems9.2 Privacy Principles and PoliciesFair Information PracticesU.S. Privacy LawsControls on U.S. Government WebsitesControls on Commercial WebsitesNon-U.S. Privacy PrinciplesIndividual Actions to Protect PrivacyGovernments and PrivacyIdentity Theft9.3 Authentication and PrivacyWhat Authentication MeansConclusions9.4 Data MiningGovernment Data MiningPrivacy-Preserving Data Mining9.5 Privacy on the WebUnderstanding the Online EnvironmentPayments on the WebSite and Portal RegistrationsWhose Page Is This?Precautions for Web SurfingSpywareShopping on the Internet9.6 Email SecurityWhere Does Email Go, and Who Can Access It?Interception of EmailMonitoring EmailAnonymous, Pseudonymous, and Disappearing EmailSpoofing and SpammingSummary9.7 Privacy Impacts of Emerging TechnologiesRadio Frequency IdentificationElectronic VotingVoIP and SkypePrivacy in the CloudConclusions on Emerging Technologies9.8 Where the Field Is Headed9.9 Conclusion9.10 Exercises
10.1 Security PlanningOrganizations and Security PlansContents of a Security PlanSecurity Planning Team MembersAssuring Commitment to a Security Plan10.2 Business Continuity PlanningAssess Business ImpactDevelop StrategyDevelop the Plan10.3 Handling IncidentsIncident Response PlansIncident Response Teams10.4 Risk AnalysisThe Nature of RiskSteps of a Risk AnalysisArguments For and Against Risk Analysis10.5 Dealing with DisasterNatural DisastersPower LossHuman VandalsInterception of Sensitive InformationContingency PlanningPhysical Security Recap10.6 Conclusion10.7 Exercises
11.1 Protecting Programs and DataCopyrightsPatentsTrade SecretsSpecial Cases11.2 Information and the LawInformation as an ObjectLegal Issues Relating to InformationThe Legal SystemSummary of Protection for Computer Artifacts11.3 Rights of Employees and EmployersOwnership of ProductsEmployment Contracts11.4 Redress for Software FailuresSelling Correct SoftwareReporting Software Flaws11.5 Computer CrimeWhy a Separate Category for Computer Crime Is NeededWhy Computer Crime Is Hard to DefineWhy Computer Crime Is Hard to ProsecuteExamples of StatutesInternational DimensionsWhy Computer Criminals Are Hard to CatchWhat Computer Crime Does Not AddressSummary of Legal Issues in Computer Security11.6 Ethical Issues in Computer SecurityDifferences Between the Law and EthicsStudying EthicsEthical Reasoning11.7 Incident Analysis with EthicsSituation I: Use of Computer ServicesSituation II: Privacy RightsSituation III: Denial of ServiceSituation IV: Ownership of ProgramsSituation V: Proprietary ResourcesSituation VI: FraudSituation VII: Accuracy of InformationSituation VIII: Ethics of Hacking or CrackingSituation IX: True RepresentationConclusion of Computer EthicsConclusionExercises
12.1 CryptologyCryptanalysisCryptographic PrimitivesOne-Time PadsStatistical AnalysisWhat Makes a “Secure” Encryption Algorithm?12.2 Symmetric Encryption AlgorithmsDESAESRC2, RC4, RC5, and RC612.3 Asymmetric Encryption with RSAThe RSA AlgorithmStrength of the RSA Algorithm12.4 Message DigestsHash FunctionsOne-Way Hash FunctionsMessage Digests12.5 Digital SignaturesElliptic Curve CryptosystemsEl Gamal and Digital Signature AlgorithmsThe NSA–Cryptography Controversy of 201212.6 Quantum CryptographyQuantum PhysicsPhoton ReceptionCryptography with PhotonsImplementation12.7 Conclusion
13.1 The Internet of ThingsMedical DevicesMobile PhonesSecurity in the Internet of Things13.2 EconomicsMaking a Business CaseQuantifying SecurityCurrent Research and Future Directions13.3 Electronic VotingWhat Is Electronic Voting?What Is a Fair Election?What Are the Critical Issues?13.4 Cyber WarfareWhat Is Cyber Warfare?Possible Examples of Cyber WarfareCritical Issues13.5 Conclusion

Content preview from Security in Computing

3. Programs and Programming

In this chapter:

• Programming oversights: buffer overflows, off-by-one errors, incomplete mediation, time-of-check to time-of-use errors

• Malicious code: viruses, worms, Trojan horses

• Developer countermeasures: program development techniques, security principles

• Ineffective countermeasures

Programs are simple things but they can wield mighty power. Think about them for a minute: Programs are just strings of 0s and 1s, representing elementary machine commands such as move one data item, compare two data items, or branch to a different command. Those primitive machine commands implement higher-level programming language constructs such as conditionals, repeat loops, case selection, and arithmetic and string operations. ...