SPECIAL OFFERS
Keep up with new releases and promotions.Sign up to hear from us.
Register your productto gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from yourAccountpage after purchase:
EPUBThe open industry format known for its reflowable content and usability on supported mobile devices.
PDFThe popular standard, used most often with the freeAdobe® Reader®software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
This eBook includes the following formats, accessible from yourAccountpage after purchase:
EPUBThe open industry format known for its reflowable content and usability on supported mobile devices.
PDFThe popular standard, used most often with the freeAdobe® Reader®software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.”
—Charles C. Palmer, IBM ResearchThe Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures
Analyzing Computer Securityis a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.
In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classicSecurity in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.
The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.
Coverage includes
An Insider's Look into the 2012 Mid-Atlantic Collegiate Cyber Defense Challenge
Security Blanket or Security Theater?
Download the sample pages(includes Chapter 1 and Index)
Foreword xxiii
Preface xxvii
About the Authors xxxv
Chapter 1: Security Blanket or Security Theater? 2
How Dependent Are We on Computers? 6
What Is Computer Security? 8
Threats 11
Harm 24
Vulnerabilities 30
Controls 30
Analyzing Security With Examples 33
Conclusion 34
Exercises 35
Chapter 2: Knock, Knock. Who’s There? 38
攻击:Impersonation 39
Attack Details: Failed Authentication 40
Vulnerability: Faulty or Incomplete Authentication 41
对策:Strong Authentication 47
Conclusion 64
Recurring Thread: Privacy 67
Recurring Thread: Usability 69
Exercises 71
Chapter 3: 2 + 2 = 5 72
攻击:Program Flaw in Spacecraft Software 74
Threat: Program Flaw Leads to Security Failing 75
Vulnerability: Incomplete Mediation 77
Vulnerability: Race Condition 79
Vulnerability: Time-of-Check to Time-of-Use 82
Vulnerability: Undocumented Access Point 84
Ineffective Countermeasure: Penetrate-and-Patch 85
对策:Identifying and Classifying Faults 86
对策:Secure Software Design Elements 90
对策:Secure Software Development Process 97
Good Design 103
对策:Testing 114
对策:Defensive Programming 122
Conclusion 123
Recurring Thread: Legal—Redress for Software Failures 125
Exercises 128
Chapter 4: A Horse of a Different Color 130
攻击:Malicious Code 131
Threat: Malware—Virus, Trojan Horse, and Worm 132
Technical Details: Malicious Code 138
Vulnerability: Voluntary Introduction 155
Vulnerability: Unlimited Privilege 157
Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157
对策:Hygiene 158
对策:Detection Tools 159
对策:Error Detecting and Error Correcting Codes 166
对策:Memory Separation 170
对策:Basic Security Principles 171
Recurring Thread: Legal—Computer Crime 172
Conclusion 177
Exercises 178
Chapter 5: The Keys to the Kingdom 180
攻击:Keylogging 181
Threat: Illicit Data Access 182
Attack Details 182
Harm: Data and Reputation 186
Vulnerability: Physical Access 186
Vulnerability: Misplaced Trust 187
Vulnerability: Insiders 189
Vulnerability: System Subversion 191
Recurring Thread: Forensics—Tracing Data Flow 193
Vulnerability: Weak Authentication 194
Failed Countermeasure: Security through Obscurity 194
对策:196年物理访问控制
对策:Strong Authentication 198
对策:信任/ 202最小特权
Conclusion 204
Recurring Thread: Forensics—Plug-and-Play Devices 205
Exercises 207
Interlude A: Cloud Computing 210
What Is Cloud Computing? 211
What Are the Risks in the Cloud? 213
Chapter 6: My Cup Runneth Over 216
攻击:What Did You Say That Number Was? 217
Harm: Destruction of Code and Data 218
Vulnerability: Off-by-One Error 230
Vulnerability: Integer Overflow 231
Vulnerability: Unterminated Null-Terminated String 232
Vulnerability: Parameter Length and Number 233
Vulnerability: Unsafe Utility Programs 234
攻击:Important Overflow Exploitation Examples 234
对策:Programmer Bounds Checking 244
对策:Programming Language Support 244
对策:Stack Protection/Tamper Detection 247
对策:Hardware Protection of Executable Space 249
对策:General Access Control 261
Conclusion 272
Exercises 274
Chapter 7: He Who Steals My Purse . . . 276
攻击:Veterans’ Administration Laptop Stolen 277
Threat: Loss of Data 278
Extended Threat: Disaster 278
Vulnerability: Physical Access 279
Vulnerability: Unprotected Availability of Data 279
Vulnerability: Unprotected Confidentiality of Data 279
对策:Policy 280
对策:Physical Security 280
对策:Data Redundancy (Backup) 282
对策:Encryption 286
对策:Disk Encryption 325
Conclusion 326
Exercises 329
Chapter 8: The Root of All Evil 332
Background: Operating System Structure 333
攻击:Phone Rootkit 337
Attack Details: What Is a Rootkit? 338
Vulnerability: Software Complexity 347
Vulnerability: Difficulty of Detection and Eradication 347
对策:Simplicity of Design 348
对策:Trusted Systems 353
Conclusion 364
Exercises 365
Chapter 9: Scanning the Horizon 368
攻击:Investigation, Intrusion, and Compromise 369
Threat: Port Scan 370
Attack Details 371
Harm: Knowledge and Exposure 374
Recurring Thread: Legal—Are Port Scans Legal? 375
Vulnerability: Revealing Too Much 376
Vulnerability: Allowing Internal Access 376
对策:System Architecture 377
对策:Firewall 378
对策:Network Address Translation (NAT) 397
对策:Security Perimeter 399
Conclusion 400
Exercises 402
Chapter 10: Do You Hear What I Hear? 404
攻击:Wireless (WiFi) Network Access 405
Harm: Confidentiality–Integrity–Availability 412
攻击:Unauthorized Access 414
Vulnerability: Protocol Weaknesses 414
Failed Countermeasure: WEP 418
Stronger but Not Perfect Countermeasure: WPA and WPA2 422
Conclusion 426
Recurring Thread: Privacy—Privacy-Preserving Design 427
Exercises 429
Chapter 11: I Hear You Loud and Clear 432
攻击:Enemies Watch Predator Video 433
Attack Details 434
Threat: Interception 437
Vulnerability: Wiretapping 441
对策:Encryption 448
对策:Virtual Private Networks 452
对策:Cryptographic Key Management Regime 456
对策:Asymmetric Cryptography 459
对策:Kerberos 464
Conclusion 468
Recurring Thread: Ethics—Monitoring Users 471
Exercises 472
474年插曲B:电子投票
What Is Electronic Voting? 475
What Is a Fair Election? 477
What Are the Critical Issues? 477
Chapter 12: Disregard That Man Behind the Curtain 482
攻击:Radar Sees Only Blue Skies 483
Threat: Man in the Middle 484
Threat: “In-the-Middle” Activity 487
Vulnerability: Unwarranted Trust 498
Vulnerability: Failed Identification and Authentication 499
Vulnerability: Unauthorized Access 501
Vulnerability: Inadequate Attention to Program Details 501
Vulnerability: Protocol Weakness 502
对策:Trust 503
对策:Identification and Authentication 503
对策:Cryptography 506
Related Attack: Covert Channel 508
Related Attack: Steganography 517
Conclusion 519
Exercises 520
Chapter 13: Not All Is as It Seems 524
Attacks: Forgeries 525
Threat: Integrity Failure 530
Attack Details 530
Vulnerability: Protocol Weaknesses 542
Vulnerability: Code Flaws 543
Vulnerability: Humans 543
对策:Digital Signature 545
对策:Secure Protocols 566
对策:Access Control 566
对策:User Education 568
Possible Countermeasure: Analysis 569
Non-Countermeasure: Software Goodness Checker 571
Conclusion 572
Exercises 574
Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay 576
攻击:Cloned RFIDs 577
Threat: Replay Attacks 578
Vulnerability: Reuse of Session Data 580
对策:Unrepeatable Protocol 580
对策:Cryptography 583
Conclusion: Replay Attacks 584
Similar Attack: Session Hijack 584
Vulnerability: Electronic Impersonation 588
Vulnerability: Nonsecret Token 588
对策:Encryption 589
对策:IPsec 593
对策:Design 596
Conclusion 597
Exercises 598
Chapter 15: I Can’t Get No Satisfaction 600
攻击:Massive Estonian Web Failure 601
Threat: Denial of Service 602
Threat: Flooding 602
Threat: Blocked Access 603
Threat: Access Failure 604
Case: Beth Israel Deaconess Hospital Systems Down 605
Vulnerability: Insufficient Resources 606
Vulnerability: Addressee Cannot Be Found 611
Vulnerability: Exploitation of Known Vulnerability 613
Vulnerability: Physical Disconnection 613
对策:Network Monitoring and Administration 614
对策:Intrusion Detection and Prevention Systems 618
对策:Management 630
Conclusion: Denial of Service 633
Extended Attack: E Pluribus Contra Unum 635
Technical Details 638
Recurring Thread: Legal—DDoS Crime Does Not Pay 643
Vulnerability: Previously Described Attacks 643
Countermeasures: Preventing Bot Conscription 645
Countermeasures: Handling an Attack Under Way 647
Conclusion: Distributed Denial of Service 648
Exercises 649
Interlude C: Cyber Warfare 652
What Is Cyber Warfare? 653
Examples of Cyber Warfare 654
Critical Issues 656
Chapter 16: ’Twas Brillig, and the Slithy Toves . . . 662
攻击:Grade Inflation 663
Threat: Data Corruption 664
对策:Codes 667
对策:Protocols 668
对策:Procedures 669
对策:Cryptography 670
Conclusion 673
Exercises 674
Chapter 17: Peering through the Window 676
攻击:Sharing Too Much 677
Attack Details: Characteristics of Peer-to-Peer Networks 677
Threat: Inappropriate Data Disclosure 680
Threat: Introduction of Malicious Software 681
Threat: Exposure to Unauthorized Access 682
Vulnerability: User Failure to Employ Access Controls 683
Vulnerability: Unsafe User Interface 683
Vulnerability: Malicious Downloaded Software 684
对策:User Education 685
对策:Secure-by-Default Software 685
对策:Legal Action 686
对策:Outbound Firewall or Guard 688
Conclusion 689
Recurring Thread: Legal—Protecting Computer Objects 691
Exercises 704
Chapter 18: My 100,000 Nearest and Dearest Friends 706
攻击:I See U 707
Threat: Loss of Confidentiality 708
Threat: Data Leakage 709
Threat: Introduction of Malicious Code 710
Attack Details: Unintended Disclosure 711
Vulnerability: Exploiting Trust Relationships 721
Vulnerability: Analysis on Data 722
Vulnerability: Hidden Data Attributes 722
对策:Data Suppression and Modification 724
对策:User Awareness and Education 729
对策:Policy 733
Conclusion 734
Exercises 736
Afterword 738
Challenges Facing Us 739
Critical Issues 741
Moving Forward: Suggested Next Steps for Improving Computer Security 742
And Now for Something a Little Different 746
Bibliography 749
Index 773