Pfleeger Charles, Pfleeger Shari Lawrence, Coles-Kemp Lizzie / Пфлегер Чарльз, Пфлегер Шери Лоуренс, Коулз-Кемп Лиззи - Security in Computing, 6th Edition / Безопасность в вычислительной технике, 6-е издание [2024, PDF, ENG]

Примеры страниц (скриншоты)

Оглавление

Foreword xix
Preface xxv
Acknowledgments xxxi
About the Authors xxxiii
Chapter 1 Introduction 1
1.1 What Is Computer Security? 3
Values of Assets 4
The Vulnerability–Threat–Control Paradigm 5
1.2 Threats 6
Confidentiality 8
Integrity 10
Availability 11
Types of Threats 13
Types of Attackers 17
1.3 Harm 24
Risk and Common Sense 25
Method–Opportunity–Motive 28
1.4 Vulnerabilities 30
1.5 Controls 30
1.6 Conclusion 33
1.7 What’s Next? 34
1.8 Exercises 36
Chapter 2 Toolbox: Authentication, Access Control,
and Cryptography 38
2.1 Authentication 40
Identification vs. Authentication 40
Authentication Based on Phrases and Facts:
Something You Know 42
Authentication Based on Biometrics: Something You Are 57
Authentication Based on Tokens: Something You Have 69
Federated Identity Management 72
Multifactor Authentication 74
Fitting Authentication to the Situation 76
2.2 Access Control 78
Access Policies 78
Implementing Access Control 82
Procedure-Oriented Access Control 92
Role-Based Access Control 92
2.3 Cryptography 93
Problems Addressed by Encryption 94
Terms and Concepts 94
DES: The Data Encryption Standard 104
AES: Advanced Encryption System 106
Public Key Cryptography 108
Using Public Key Cryptography to Exchange Secret Keys 112
Error Detecting Codes 117
Signatures 122
Trust 126
Certificates: Trustable Identities and Public Keys 130
Digital Signatures—All the Pieces 134
2.4 Conclusion 137
2.5 Exercises 138
Chapter 3 Programs and Programming 141
3.1 Unintentional (Nonmalicious) Programming Oversights 143
Buffer Overflow 144
Incomplete Mediation 163
Time-of-Check to Time-of-Use 166
Undocumented Access Point 168
Off-by-One Error 171
Integer Overflow 172
Unterminated Null-Terminated String 173
Parameter Length, Type, and Number 174
Unsafe Utility Program 174
Race Condition 175
Unsynchronized Activity 175
3.2 Malicious Code—Malware 178
Malware—Viruses, Worms, and Trojan Horses 179
Technical Details: Malicious Code 188
3.3 Countermeasures 211
Countermeasures for Users 212
Countermeasures for Developers 217
Countermeasure Specifically for Security 232
Countermeasures That Don’t Work 241
3.4 Conclusion 245
3.5 Exercises 245
Chapter 4 The Internet—User Side 248
4.1 Browser Attacks 251
Browser Attack Types 251
How Browser Attacks Succeed: Failed Identification and
Authentication 258
4.2 Attacks Targeting Users 265
False or Misleading Content 265
Malicious Web Content 273
Protecting Against Malicious Webpages 279
4.3 Obtaining User or Website Data 280
Code Within Data 281
Website Data: A User’s Problem Too 285
Ransomware 287
Foiling Data Attacks 288
4.4 Mobile Apps 289
Apps and Security 289
Threats to Mobile Computing 293
Vulnerabilities from Using Apps 294
Why Apps Have Flaws 300
Finding Secure Apps 303
Protecting Yourself After Installing an App 305
Developing Secure Apps 307
4.5 Email and Message Attacks 310
Fake Email 310
Fake Email Messages as Spam 311
Fake (Inaccurate) Email Header Data 316
Phishing 317
Protecting Against Email Attacks 319
4.6 Conclusion 320
4.7 Exercises 321
Chapter 5 Operating Systems 323
5.1 Security in Operating Systems 323
Background: Operating System Structure 324
Security Features of Ordinary Operating Systems 325
A Bit of History 327
Protected Objects 329
Operating System Tools to Implement Security Functions 334
5.2 Security in the Design of Operating Systems 351
Simplicity of Design 352
Layered Design 353
Kernelized Design 355
Reference Monitor 356
Correctness and Completeness 357
Secure Design Principles 358
Trusted Systems 359
5.3 Rootkits 371
Example: Phone Rootkits 371
Rootkit Characteristics 372
Rootkit Case Studies 378
Nonmalicious Rootkits 381
5.4 Conclusion 382
5.5 Exercises 382
Chapter 6 Networks 385
6.1 Network Concepts 386
Background: Network Transmission Media 387
Background: Protocol Layers 395
Background: Addressing and Routing 396
Part I—War on Networks: Network Security Attacks 399
6.2 Threats to Network Communications 400
Interception: Eavesdropping and Wiretapping 400
Modification: Data Corruption 406
Interruption: Loss of Service 411
Port Scanning 415
Network Vulnerability Summary 420
6.3 Wireless Network Security 421
WiFi Background 421
Vulnerabilities in Wireless Networks 428
Failed Countermeasure: WEP (Wired Equivalent Privacy) 434
Stronger Protocol Suite: WPA (WiFi Protected Access) 438
6.4 Denial of Service 443
Example: Massive Estonian Web Failure 443
How Service Is Denied 445
Flooding (Capacity) Attacks in Detail 449
Network Flooding Caused by Malicious Code 450
Network Flooding by Resource Exhaustion 454
Denial of Service by Addressing Failures 455
Traffic Redirection 460
DNS Attacks 460
Exploiting Known Vulnerabilities 466
Physical Disconnection 467
6.5 Distributed Denial of Service 468
Scripted Denial-of-Service Attacks 471
Bots 472
Botnets 472
Malicious Autonomous Mobile Agents 477
Autonomous Mobile Protective Agents 477
Part II—Strategic Defenses: Security Countermeasures 479
6.6 Cryptography in Network Security 479
Network Encryption 479
Browser Encryption 484
Onion Routing 489
IP Security Protocol Suite (IPsec) 491
Virtual Private Networks 494
6.7 Firewalls 497
System Architecture 498
What Is a Firewall? 499
Design of Firewalls 501
Types of Firewalls 503
Personal Firewalls 514
Comparison of Firewall Types 516
Examples of Firewall Configurations 516
Network Address Translation (NAT) 521
6.8 Intrusion Detection and Prevention Systems 522
Types of IDSs 524
Goals for Intrusion Detection Systems 530
IDS Strengths and Limitations 531
Intrusion Prevention Systems 532
Intrusion Response 533
6.9 Network Management 536
Management to Ensure Service 537
Security Information and Event Management 540
All-of-the-Above Products or Families 542
6.10 Conclusion 545
6.11 Exercises 545
Chapter 7 Data and Databases 549
7.1 Introduction to Databases 550
Concept of a Database 550
Components of Databases 550
Advantages of Using Databases 554
7.2 Security Requirements of Databases 555
Integrity of the Database 555
Element Integrity 556
Auditability 559
Access Control 559
User Authentication 560
Availability 560
Integrity/Confidentiality/Availability 561
7.3 Reliability and Integrity 561
Protection Features from the Operating System 562
Two-Phase Update 562
Redundancy/Internal Consistency 565
Recovery 565
Concurrency/Consistency 565
7.4 Database Disclosure 566
Sensitive Data 567
Types of Disclosures 568
Preventing Disclosure: Data Suppression and Modification 578
Security versus Precision 580
7.5 Data Mining and Big Data 585
Data Mining 585
Big Data 591
7.6 Conclusion 599
7.7 Exercises 599
Chapter 8 New Territory 601
8.1 Introduction 601
Cloud Computing 603
The Internet of Things 604
Embedded Systems 605
8.2 Cloud Architectures and Their Security 605
Essential Characteristics 606
Service Models 608
Deployment Models 611
Security in Cloud Computing 611
Identity Management in the Cloud 618
8.3 IoT and Embedded Devices 627
IoT and Security 630
8.4 Cloud, IoT, and Embedded Devices—The Smart Home 638
Securing Smart Homes 640
Security Practices and Controls in the Smart Home 642
8.5 Smart Cities, IoT, Embedded Devices, and Cloud 643
Smart City Digital Architecture 645
Security and the Smart City 647
8.6 Cloud, IoT, and Critical Services 648
Healthcare 648
Security and the Internet of Medical Things 650
Utilities—Electricity and Water 652
8.7 Conclusion 657
8.8 Exercises 658
Chapter 9 Privacy 659
9.1 Privacy Concepts 660
Aspects of Information Privacy 660
Computer-Related Privacy Problems 664
9.2 Privacy Principles and Policies 671
Fair Information Practices 671
U.S. Privacy Laws 672
Controls on U.S. Government Websites 675
Controls on Commercial Websites 676
Non-U.S. Privacy Principles 679
Individual Actions to Protect Privacy 682
Governments and Privacy 684
Identity Theft 687
9.3 Authentication and Privacy 688
What Authentication Means 689
Conclusions 693
9.4 Data Mining 694
Government Data Mining 695
Privacy-Preserving Data Mining 696
9.5 Privacy on the Internet 698
Understanding the Online Environment 698
Payments on the Internet 701
Site and Portal Registrations 703
Whose Page Is This? 704
Precautions for Web Surfing 705
Spyware 709
Shopping on the Internet 712
9.6 Email and Message Security 713
Where Does Email Go, and Who Can Access It? 713
Monitoring Email 714
Anonymous, Pseudonymous, and Disappearing Email 714
Spoofing and Spamming 716
Summary 716
9.7 Privacy Impacts of Newer Technologies 717
Radio Frequency Identification 717
Electronic Voting 721
Privacy in the Cloud 722
Conclusions on Newer Technologies 723
9.8 Conclusion 724
9.9 Exercises 725
Chapter 10 Management and Incidents 727
10.1 Security Planning 727
Organizations and Security Plans 729
Contents of a Security Plan 729
Security Planning Team Members 736
Assuring Commitment to a Security Plan 737
10.2 Business Continuity Planning 738
Assess Business Impact 740
Develop Strategy 740
Develop the Plan 741
10.3 Handling Incidents 742
Incident Response Plans 742
Incident Response Teams 745
10.4 Risk Analysis 749
The Nature of Risk 750
Steps of a Risk Analysis 751
Arguments For and Against Risk Analysis 765
10.5 Physical Threats to Systems 767
Natural Disasters 767
Human Vandals 769
Contingency Planning 772
Physical Security Recap 776
10.6 New Frontiers in Security Management 776
10.7 Conclusion 778
10.8 Exercises 779
Chapter 11 Legal Issues and Ethics 781
11.1 Protecting Programs and Data 783
Copyrights 783
Patents 792
Trade Secrets 796
Special Cases 798
11.2 Information and the Law 800
Information as an Object 800
The Legal System 802
Summary of Protection for Computer Artifacts 805
11.3 Rights of Employees and Employers 805
Control of Products 805
Employment Contracts 808
11.4 Redress for Software Failures 808
Selling Correct Software 809
Reporting Software Flaws 811
11.5 Computer Crime 814
Examples of Statutes 815
International Dimensions 818
Why Computer Criminals Are Hard to Catch 820
What Computer Crime Statutes Do Not Address 821
Summary of Legal Issues in Computer Security 821
11.6 Ethical Issues in Computer Security 822
Differences Between the Law and Ethics 822
Studying Ethics 824
Ethical Reasoning 825
11.7 An Ethical Dive into Artificial Intelligence 828
AI’s Meaning and Concerns 828
IBM: A Study in How to Approach Ethical AI 829
11.8 Incident Analyses with Ethics 830
Situation I: Use of Computer Services 832
Situation II: Privacy Rights 833
Situation III: Denial of Service 835
Situation IV: Ownership of Programs 836
Situation V: Proprietary Resources 838
Situation VI: Fraud 838
Situation VII: Accuracy of Information 840
Situation VIII: Ethics of Hacking or Cracking 841
Situation IX: True Representation 844
Conclusion of Computer Ethics 845
11.9 Conclusion 846
11.10 Exercises 847
Chapter 12 Details of Cryptography 850
12.1 Cryptology 851
Cryptanalysis 851
Cryptographic Primitives 856
One-Time Pads 857
Statistical Analysis 859
What Makes a “Secure” Encryption Algorithm? 860
12.2 Symmetric Encryption Algorithms 863
DES 863
Attacking Ciphertext 871
AES 874
Other Symmetric Algorithms 876
12.3 Asymmetric Encryption 877
The RSA Algorithm 877
Strength of the RSA Algorithm 878
Elliptic Curve Cryptosystems 881
Digression: Diffie–Hellman Key Exchange 882
12.4 Message Digests 883
Hash Functions 883
One-Way Hash Functions 883
Message Digests 884
Authenticated Encryption 886
12.5 Digital Signatures 888
12.6 Quantum Key Distribution 889
Key Distribution 889
Quantum Physics 890
Implementation 893
12.7 Conclusion 894
Chapter 13 Emerging Topics 895
13.1 AI and Cybersecurity 896
AI-Based Decision Making 897
AI-Driven Security Management 898
Adversarial AI 903
Responsible AI 905
Open Questions 906
13.2 Blockchains and Cryptocurrencies 908
What Is a Blockchain? 908
Commerce and Trust 910
What Is Cryptocurrency? 912
Cryptocurrency in the World Context 915
Is the Implementation of Cryptocurrencies Secure? 921
Open Questions 924
13.3 Offensive Cyber and Cyberwarfare 924
What Is Cyberwarfare? 924
Possible Examples of Cyberwarfare 926
Cyberwar or Offensive Cyber? 929
Critical Issues 932
13.4 Quantum Computing and Computer Security 936
Quantum Computers 936
Quantum-Resistant Cryptography 937
13.5 Conclusion 937
Bibliography 939
Index 963