Foreword
Preface to the Third Edition
Chapter 1 Is There a Security Problem in Computing?
1.1 What Does "Secure" Mean?
Protecting Valuables
Characteristics of Computer Intrusion
1.2 Attacks
Threats, Vulnerabilities, and Controls
Method, Opportunity, and Motive
1.3 The Meaning of Computer Security
Security Goals
Vulnerabilities
1.4 Computer Criminals
Amateurs
Crackers
Career Criminals
1.5 Methods of Defense
Controls
Effectiveness of Controls
1.6 What's Next
Encryption Overview
Hardware and Software Security
Human Controls in Security
Encryption In-Depth
1.7 Summary
1.8 Terms and Concepts
1.9 Where the Field Is Headed
1.10 To Learn More
1.11 Exercises
Chapter 2 Elementary Cryptography
2.1 Terminology and Background
Terminology
Representing Characters
2.2 Substitution Ciphers
The Caesar Cipher
Other Substitutions
One-Time Pads
Summary of Substitutions
2.3 Transpositions (Permutations)
Columnar Transpositions
Combinations of Approaches
2.4 Making "Good" Encryption Algorithms
What Makes a "Secure" Encryption Algorithm?
Symmetric and Asymmetric Encryption Systems
Stream and Block Ciphers
Confusion and Diffusion
Cryptanalysis--Breaking Encryption Schemes
2.5 The Data Encryption Standard (DES)
Background and History
Overview of the DES Algorithm
Double and Triple DES
Security of the DES
2.6 The AES Encryption Algorithm
The AES Contest
Overview of Rijndael
Strength of the Algorithm
Comparison of DES and AES
2.7 Public Key Encryption
Motivation
Characteristics
Rivest-Shamir-Adelman (RSA) Encryption
2.8 The Uses of Encryption
Cryptographic Hash Functions
Key Exchange
Digital Signatures
Certificates
2.9 Summary of Encryption
2.10 Terms and Concepts
2.11 Where the Field Is Headed
2.12 To Learn More
2.13 Exercises
Chapter 3 Program Security
3.1 Secure Programs
Fixing Faults
Unexpected Behavior
Types of Flaws
3.2 Nonmalicious Program Errors
Buffer Overflows
Incomplete Mediation
Time-of-Check to Time-of-Use Errors
Combinations of Nonmalicious Program Flaws
3.3 Viruses and Other Malicious Code
Why Worry About Malicious Code?
Kinds of Malicious Code
How Viruses Attach
Document Viruses
How Viruses Gain Control
Homes for Viruses
Virus Signatures
The Source of Viruses
Prevention of Virus Infection
Truths and Misconceptions About Viruses
First Example of Malicious Code: The Brain Virus
Another Example: The Internet Worm
More Malicious Code: Code Red
Malicious Code on the Web: Web Bugs
3.4 Targeted Malicious Code
Trapdoors
Salami Attacks
Covert Channels: Programs That Leak Information
3.5 Controls Against Program Threats
Developmental Controls
Operating System Controls on Use of Programs
Administrative Controls
Program Controls in General
3.6 Summary of Program Threats and Controls
3.7 Terms and Concepts
3.8 Where the Field Is Headed
3.9 To Learn More
3.10 Exercises
Chapter 4 Protection in General-Purpose Operating Systems
4.1 Protected Objects and Methods of Protection
A Bit of History
Protected Objects
Security Methods of Operating Systems
4.2 Memory and Address Protection
Fence
Relocation
Base/Bounds Registers
Tagged Architecture
Segmentation
Paging
Combined Paging with Segmentation
4.3 Control of Access to General Objects
Directory
Access Control List
Access Control Matrix
Capability
Procedure-Oriented Access Control
4.4 File Protection Mechanisms
Basic Forms of Protection
Single Permissions
Per-Object and Per-User Protection
4.5 User Authentication
Use of Passwords
Attacks on Passwords
Password Selection Criteria
The Authentication Process
Authentication Other Than Passwords
4.6 Summary of Security for Users
4.7 Terms and Concepts
4.8 Where the Field Is Headed
4.9 To Learn More
4.10 Exercises
Chapters Designing Trusted Operating Systems
5.1 What Is a Trusted System?
5.2 Security Policies
Military Security Policy
Commercial Security Policies
5.3 Models of Security
Multilevel Security
Models Proving Theoretical Limitations
of Security Systems
Summary of Models of Protection Systems
5.4 Trusted Operating System Design
Trusted System Design Elements
Security Features of Ordinary Operating Systems
Security Features of Trusted Operating Systems
Kernelized Design
Separation/Isolation
Virtualization
Layered Design
5.5 Assurance in Trusted Operating Systems
Typical Operating System Flaws
Assurance Methods
Open Source
Evaluation
5.6 Implementation Examples
General-Purpose Operating Systems
Operating Systems Designed for Security
5.7 Summary of Security in Operating Systems
5.8 Terms and Concepts
5.9 Where the Field Is Headed
5.10 To Learn More
5.11 Exercises
Chapter 6 Database Security
6.1 Introduction to Databases
Concept of a Database
Components of Databases
Advantages of Using Databases
6.2 Security Requirements
Integrity of the Database
Element Integrity
Auditability
Access Control
User Authentication
Availability
Integrity/ConfidentialitylAvailability
6.3 Reliability and Integrity
Protection Features from the Operating System
Two-Phase Update
Redundancy/Internal Consistency
Recovery
Concurrency/Consistency
Monitors
Summary of Data Reliability
6.4 Sensitive Data
Access Decisions
Types of Disclosures
Security versus Precision
6.5 Inference
Direct Attack
Indirect Attack
Aggregation
6.6 Multilevel Databases
The Case for Differentiated Security
Granularity
Security Issues
6.7 Proposals for Multilevel Security
Separation
Designs of Multilevel Secure Databases
Concluding Remarks
6.8 Summary of Database Security
6.9 Terms and Concepts
6.10 Where the Field Is Headed
6.11 To Learn More
6.12 Exercises
Chapter 7 Security in Networks
7.1 Network Concepts
The Network
Media
Protocols
Types of Networks
Topologies
Distributed Systems
APIs
Advantages of Computing Networks
7.2 Threats in Networks
What Makes a Network Vulnerable?
Who Attacks Networks?
Threat Precursors
Threats in Transit: Eavesdropping and Wiretapping
Protocol Flaws
Impersonation
Spoofing
Message Confidentiality Threats
Message Integrity Threats
Web Site Defacement
Denial of Service
Distributed Denial of Service
Threats to Active or Mobile Code
Complex Attacks
Summary of Network Vulnerabilities
7.3 Network Security Controls
Security Threat Analysis
Design and Implementation
Architecture
Encryption
Content Integrity
Strong Authentication
Access Controls
Alarms and Alerts
Honeypots
Traffic Flow Security
Controls Review
7.4 Firewalls
What Is a Firewall?
Design of Firewalls
Types of Firewalls
Personal Firewalls
Comparison of Firewall Types
Example Firewall Configurations
What Firewalls Can--and Cannot--Block
7.5 Intrusion Detection Systems
Types of IDSs
Goals for Intrusion Detection Systems
IDS Strengths and Limitations
7.6 Secure E-Mail
Security for E-Mail
Designs
Example Secure E-Mail Systems
7.7 Summary of Network Security
7.8 Terms and Concepts
7.9 Where the Field Is Headed
7.10 To Learn More
7.11 Exercises
Chapter 8 Administering Security
8.1 Security Planning
Contents of a Security Plan
Security Planning Team Members
Assuring Commitment to a Security Plan
Business Continuity Plans
Incident Response Plans
8.2 Risk Analysis
The Nature of Risk
Steps of a Risk Analysis
Arguments For and Against Risk Analysis
8.3 Organizational Security Policies
Purpose
Audience
Contents
Characteristics of a Good Security Policy
Examples
Policy Issue Example: Government E-Mail
8.4 Physical Security
Natural Disasters
Power Loss
Human Vandals
Interception of Sensitive Information
Contingency Planning
Physical Security Recap
8.5 Summary
8.6 Terms and Concepts
8.7 To Learn More
8.8 Exercises
Chapter 9 Legal, Privacy, and Ethical Issues in Computer Security
9.1 Protecting Programs and Data
Copyrights
Patents
Trade Secrets
Protection for Computer Objects
9.2 Information and the Law
Information as an Object
Legal Issues Relating to Information
Protecting Information
Summary of Protection for Computer Artifacts
9.3 Rights of Employees and Employers
Ownership of Products
9.4 Software Failures
Selling Correct Software
Reporting Software Flaws
9.5 Computer Crime
Why a Separate Category for Computer Crime Is Needed
Why Computer Crime Is Hard to Define
Why Computer Crime Is Hard to Prosecute
Examples of Statutes
International Dimensions
Why Computer Criminals Are Hard to Catch
What Computer Crime Does Not Address
Cryptography and the Law
Summary of Legal Issues in Computer Security
9.6 Privacy
Threats to Privacy
Controls Protecting Privacy
9.7 Ethical Issues in Computer Security
Differences Between the Law and Ethics
Studying Ethics
Ethical Reasoning
9.8 Case Studies of Ethics
Case I: Use of Computer Services
Case II: Privacy Rights
Case III: Denial of Service
Case IV: Ownership of Programs
Case V: Proprietary Resources
Case VI: Fraud
Case VII: Accuracy of Information
Case VIII: Ethics of Hacking or Cracking
Codes of Ethics
Conclusion of Computer Ethics
9.9 Terms and Concepts
9.10 To Learn More
9.11 Exercises
Chapter 10 Cryptography Explained
10.1 Mathematics for Cryptography
Complexity
Properties of Arithmetic
10.2 Symmetric Encryption
Fundamental Concepts
Data Encryption Standard (DES)
Advanced Encryption Standard (AES)
10.3 Public Key Encryption Systems
Characteristics
Merkle-Hellman Knapsacks
Rivest-Shamir-Adelman (RSA) Encryption
El Gamal and Digital Signature Algorithms
10.4 Quantum Cryptography
Quantum Physics
Photon Reception
Cryptography with Photons
Implementation
10.5 Summary of Encryption
10.6 Terms and Concepts
10.7 Where the Field Is Headed
10.8 To Learn More
10.9 Exercises
Bibliography
Index
鄂公网安备 42010302001612号 