“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.”
—Charles C. Palmer, IBM Research
The Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures
Analyzing Computer Security is a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.
In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classic Security in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.
The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.
Coverage includes
- Understanding threats, vulnerabilities, and countermeasures
- Knowing when security is useful, and when it’s useless “security theater”
- Implementing effective identification and authentication systems
- Using modern cryptography and overcoming weaknesses in cryptographic systems
- Protecting against malicious code: viruses, Trojans, worms, rootkits, keyloggers, and more
- Understanding, preventing, and mitigating DOS and DDOS attacks
- Architecting more secure wired and wireless networks
- Building more secure application software and operating systems through more solid designs and layered protection
- Protecting identities and enforcing privacy
- Addressing computer threats in critical areas such as cloud computing, e-voting, cyberwarfare, and social media
Table of Contents:
Foreword xxiii
Preface xxvii
About the Authors xxxv
Chapter 1: Security Blanket or Security Theater? 2
How Dependent Are We on Computers? 6
What is Computer Security? 8
The Vulnerability–Threat–Control Paradigm 10
Threats 11
Harm 23
Vulnerabilities 29
Controls 29
Analyzing Security with Examples 32
Conclusion 33
Exercises 34
Chapter 2: Knock, Knock. Who’s There? 38
Attack: Impersonation 39
Attack Details: Failed Authentication 40
Vulnerability: Faulty or Incomplete Authentication 41
Countermeasure: Strong Authentication 47
Conclusion 63
Recurring Thread: Privacy 65
Recurring Thread: Usability 69
Exercises 71
Chapter 3: 2 + 2 = 5 72
Attack: Program Flaw in Spacecraft Software 74
Threat: Program Flaw Leads to Security Failing 75
Vulnerability: Incomplete Mediation 77
Vulnerability: Race Condition 79
Vulnerability: Time-of-Check to Time-of-Use 82
Vulnerability: Undocumented Access Point 84
Ineffective Countermeasure: Penetrate-and-Patch 85
Countermeasure: Identifying and Classifying Faults 86
Countermeasure: Secure Software Design Elements 89
Countermeasure: Secure Software Development Process 97
Good Design 103
Countermeasure: Testing 114
Countermeasure: Defensive Programming 122
Conclusion 123
Recurring Thread: Legal—Redress for Software Failures 125
Exercises 128
Chapter 4: A Horse of a Different Color 130
Attack: Malicious Code 131
Threat: Malware—Virus, Trojan Horse, and Worm 132
Technical Details: Malicious Code 138
Vulnerability: Voluntary Introduction 155
Vulnerability: Unlimited Privilege 157
Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157
Countermeasure: Hygiene 158
Countermeasure: Detection Tools 159
Countermeasure: Error Detecting and Error Correcting Codes 166
Countermeasure: Memory Separation 170
Countermeasure: Basic Security Principles 171
Recurring Thread: Legal—Computer Crime 172
Conclusion 176
Exercises 177
Chapter 5: The Keys to the Kingdom 180
Attack: Keylogging 181
Threat: Illicit Data Access 182
Attack Details 182
Harm: Data and Reputation 186
Vulnerability: Physical Access 186
Vulnerability: Misplaced Trust 187
Vulnerability: Insiders 188
Vulnerability: System Subversion 191
Recurring Thread: Forensics—Tracing Data Flow 192
Vulnerability: Weak Authentication 193
Failed Countermeasure: Security through Obscurity 193
Countermeasure: Physical Access Control 195
Countermeasure: Strong Authentication 197
Countermeasure: Trust/Least Privilege 201
Conclusion 203
Recurring Thread: Forensics—Plug-and-Play Devices 204
Exercises 206
Interlude A: Cloud Computing 208
What is Cloud Computing? 209
What are the Risks in the Cloud? 211
Chapter 6: My Cup Runneth Over 214
Attack: What Did You Say That Number Was? 215
Harm: Destruction of Code and Data 216
Vulnerability: Off-by-One Error 228
Vulnerability: Integer Overflow 229
Vulnerability: Unterminated Null-Terminated String 230
Vulnerability: Parameter Length and Number 231
Vulnerability: Unsafe Utility Programs 232
Attack: Important Overflow Exploitation Examples 232
Countermeasure: Programmer Bounds Checking 242
Countermeasure: Programming Language Support 242
Countermeasure: Stack Protection/Tamper Detection 245
Countermeasure: Hardware Protection of Executable Space 247
Countermeasure: General Access Control 259
Conclusion 270
Exercises 272
Chapter 7: He Who Steals My Purse . . . 274
Attack: Veterans’ Administration Laptop Stolen 275
Threat: Loss of Data 276
Extended Threat: Disaster 276
Vulnerability: Physical Access 277
Vulnerability: Unprotected Availability of Data 277
Vulnerability: Unprotected Confidentiality of Data 277
Countermeasure: Policy 278
Countermeasure: Physical Security 278
Countermeasure: Data Redundancy (Backup) 280
Countermeasure: Encryption 284
Countermeasure: Disk Encryption 323
Conclusion 324
Exercises 327
Chapter 8: The Root of All Evil 330
Background: Operating System Structure 331
Attack: Phone Rootkit 335
Attack Details: What Is a Rootkit? 336
Vulnerability: Software Complexity 345
Vulnerability: Difficulty of Detection and Eradication 345
Countermeasure: Simplicity of Design 346
Countermeasure: Trusted Systems 351
Conclusion 362
Exercises 363
Chapter 9: Scanning the Horizon 366
Attack: Investigation, Intrusion, and Compromise 367
Threat: Port Scan 368
Attack Details 369
Harm: Knowledge and Exposure 372
Recurring Thread: Legal—Are Port Scans Legal? 373
Vulnerability: Revealing Too Much 374
Vulnerability: Allowing Internal Access 374
Countermeasure: System Architecture 375
Countermeasure: Firewall 376
Countermeasure: Network Address Translation (NAT) 395
Countermeasure: Security Perimeter 397
Conclusion 398
Exercises 400
Chapter 10: Do You Hear What I Hear? 402
Attack: Wireless (WiFi) Network Access 403
Harm: Confidentiality–Integrity–Availability 410
Attack: Unauthorized Access 412
Vulnerability: Protocol Weaknesses 412
Failed Countermeasure: WEP 416
Stronger but Not Perfect Countermeasure: WPA and WPA2 420
Conclusion 424
Recurring Thread: Privacy—Privacy-Preserving Design 425
Exercises 427
Chapter 11: I Hear You Loud and Clear 430
Attack: Enemies Watch Predator Video 431
Attack Details 432
Threat: Interception 435
Vulnerability: Wiretapping 439
Countermeasure: Encryption 446
Countermeasure: Virtual Private Networks 450
Countermeasure: Cryptographic Key Management Regime 454
Countermeasure: Asymmetric Cryptography 457
Countermeasure: Kerberos 462
Conclusion 466
Recurring Thread: Ethics—Monitoring Users 469
Exercises 470
Interlude B: Electronic Voting 472
What Is Electronic Voting? 473
What Is a Fair Election? 475
What Are the Critical Issues? 475
Chapter 12: Disregard That Man Behind the Curtain 480
Attack: Radar Sees Only Blue Skies 481
Threat: Man in the Middle 482
Threat: “In-the-Middle” Activity 485
Vulnerability: Unwarranted Trust 496
Vulnerability: Failed Identification and Authentication 497
Vulnerability: Unauthorized Access 499
Vulnerability: Inadequate Attention to Program Details 499
Vulnerability: Protocol Weakness 500
Countermeasure: Trust 501
Countermeasure: Identification and Authentication 501
Countermeasure: Cryptography 504
Related Attack: Covert Channel 506
Related Attack: Steganography 515
Conclusion 517
Exercises 518
Chapter 13: Not All Is as It Seems 520
Attacks: Forgeries 521
Threat: Integrity Failure 526
Attack Details 526
Vulnerability: Protocol Weaknesses 538
Vulnerability: Code Flaws 539
Vulnerability: Humans 539
Countermeasure: Digital Signature 541
Countermeasure: Secure Protocols 562
Countermeasure: Access Control 562
Countermeasure: User Education 564
Possible Countermeasure: Analysis 565
Non-Countermeasure: Software Goodness Checker 567
Conclusion 568
Exercises 570
Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay 572
Attack: Cloned RFIDs 573
Threat: Replay Attacks 574
Vulnerability: Reuse of Session Data 576
Countermeasure: Unrepeatable Protocol 576
Countermeasure: Cryptography 579
Conclusion: Replay Attacks 580
Similar Attack: Session Hijack 580
Vulnerability: Electronic Impersonation 584
Vulnerability: Nonsecret Token 584
Countermeasure: Encryption 585
Countermeasure: IPsec 589
Countermeasure: Design 592
Conclusion 593
Exercises 594
Chapter 15: I Can’t Get No Satisfaction 596
Attack: Massive Estonian Web Failure 597
Threat: Denial of Service 598
Threat: Flooding 598
Threat: Blocked Access 599
Threat: Access Failure 600
Case: Beth Israel Deaconess Hospital Systems Down 601
Vulnerability: Insufficient Resources 602
Vulnerability: Addressee Cannot Be Found 607
Vulnerability: Exploitation of Known Vulnerability 609
Vulnerability: Physical Disconnection 609
Countermeasure: Network Monitoring and Administration 610
Countermeasure: Intrusion Detection and Prevention Systems 614
Countermeasure: Management 626
Conclusion: Denial of Service 629
Extended Attack: E Pluribus Contra Unum 631
Technical Details 634
Recurring Thread: Legal—DDoS Crime Does Not Pay 639
Vulnerability: Previously Described Attacks 639
Countermeasures: Preventing Bot Conscription 641
Countermeasures: Handling an Attack Under Way 643
Conclusion: Distributed Denial of Service 644
Exercises 645
Interlude C: Cyber Warfare 648
What Is Cyber Warfare? 649
Examples of Cyber Warfare 650
Critical Issues 652
Chapter 16: ’Twas Brillig, and the Slithy Toves . . . 658
Attack: Grade Inflation 659
Threat: Data Corruption 660
Countermeasure: Codes 663
Countermeasure: Protocols 664
Countermeasure: Procedures 665
Countermeasure: Cryptography 666
Conclusion 669
Exercises 670
Chapter 17: Peering Through the Window 672
Attack: Sharing Too Much 673
Attack Details: Characteristics of Peer-to-Peer Networks 673
Threat: Inappropriate Data Disclosure 676
Threat: Introduction of Malicious Software 677
Threat: Exposure to Unauthorized Access 678
Vulnerability: User Failure to Employ Access Controls 679
Vulnerability: Unsafe User Interface 679
Vulnerability: Malicious Downloaded Software 680
Countermeasure: User Education 681
Countermeasure: Secure-by-Default Software 681
Countermeasure: Legal Action 682
Countermeasure: Outbound Firewall or Guard 684
Conclusion 685
Recurring Thread: Legal—Protecting Computer Objects 687
Exercises 700
Chapter 18: My 100,000 Nearest and Dearest Friends 702
Attack: I See U 703
Threat: Loss of Confidentiality 704
Threat: Data Leakage 705
Threat: Introduction of Malicious Code 706
Attack Details: Unintended Disclosure 707
Vulnerability: Exploiting Trust Relationships 717
Vulnerability: Analysis on Data 718
Vulnerability: Hidden Data Attributes 718
Countermeasure: Data Suppression and Modification 720
Countermeasure: User Awareness and Education 725
Countermeasure: Policy 729
Conclusion 730
Exercises 732
Afterword 734
Challenges Facing Us 735
Critical Issues 737
Moving Forward: Suggested Next Steps for Improving Computer Security 738
And Now for Something a Little Different 742
Bibliography 745
Index 769
About the Author :
Dr. Charles P. Pfleeger, an independent computer and information security consultant, provides threat/vulnerability analysis, design review, training, expert testimony, and security advice to clients worldwide. He was master security architect at Cable and Wireless and Exodus Communications, and professor of computer science at the University of Tennessee. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.
Dr. Shari Lawrence Pfleeger is Director of Research for the Institute for Information Infrastructure Protection at Dartmouth College, a consortium working to protect the U.S. cyber infrastructure. The Journal of Systems and Software has repeatedly named her one of the world’s top software engineering researchers. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.
Review :
“This is a must-read book for any budding Security Architect and also makes a great professional reference. I’d recommend this book to any IT architect or specialist wishing to enter the field of security architectures, as well as to anyone who already has that title and wants a good quality reference book.”-John Hughes, InfoSec Reviews
