Analyzing Computer Security: A Threat / Vulnerability / Countermeasure Approach: International Edition

“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.” —Charles C. Palmer, IBM Research  The Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures   Analyzing Computer Security is a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.   In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classic Security in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.   The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.   Coverage includes  Understanding threats, vulnerabilities, and countermeasures Knowing when security is useful, and when it’s useless “security theater” Implementing effective identification and authentication systems Using modern cryptography and overcoming weaknesses in cryptographic systems Protecting against malicious code: viruses, Trojans, worms, rootkits, keyloggers, and more Understanding, preventing, and mitigating DOS and DDOS attacks Architecting more secure wired and wireless networks Building more secure application software and operating systems through more solid designs and layered protection Protecting identities and enforcing privacy Addressing computer threats in critical areas such as cloud computing, e-voting, cyberwarfare, and social media  

Table of Contents:
Foreword xxiii Preface xxvii About the Authors xxxv   Chapter 1: Security Blanket or Security Theater? 2 How Dependent Are We on Computers? 6 What is Computer Security? 8 The Vulnerability–Threat–Control Paradigm 10 Threats 11 Harm 23 Vulnerabilities 29 Controls 29 Analyzing Security with Examples 32 Conclusion 33 Exercises 34   Chapter 2: Knock, Knock. Who’s There? 38 Attack: Impersonation 39 Attack Details: Failed Authentication 40 Vulnerability: Faulty or Incomplete Authentication 41 Countermeasure: Strong Authentication 47 Conclusion 63 Recurring Thread: Privacy 65 Recurring Thread: Usability 69 Exercises 71   Chapter 3: 2 + 2 = 5  72 Attack: Program Flaw in Spacecraft Software 74 Threat: Program Flaw Leads to Security Failing 75 Vulnerability: Incomplete Mediation 77 Vulnerability: Race Condition 79 Vulnerability: Time-of-Check to Time-of-Use 82 Vulnerability: Undocumented Access Point 84 Ineffective Countermeasure: Penetrate-and-Patch 85 Countermeasure: Identifying and Classifying Faults 86 Countermeasure: Secure Software Design Elements 89 Countermeasure: Secure Software Development Process 97 Good Design 103 Countermeasure: Testing 114 Countermeasure: Defensive Programming 122 Conclusion 123 Recurring Thread: Legal—Redress for Software Failures 125 Exercises 128   Chapter 4: A Horse of a Different Color 130 Attack: Malicious Code 131 Threat: Malware—Virus, Trojan Horse, and Worm 132 Technical Details: Malicious Code 138 Vulnerability: Voluntary Introduction 155 Vulnerability: Unlimited Privilege 157 Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157 Countermeasure: Hygiene 158 Countermeasure: Detection Tools 159 Countermeasure: Error Detecting and Error Correcting Codes 166 Countermeasure: Memory Separation 170 Countermeasure: Basic Security Principles 171 Recurring Thread: Legal—Computer Crime 172 Conclusion 176 Exercises 177   Chapter 5: The Keys to the Kingdom 180 Attack: Keylogging 181 Threat: Illicit Data Access 182 Attack Details 182 Harm: Data and Reputation 186 Vulnerability: Physical Access 186 Vulnerability: Misplaced Trust 187 Vulnerability: Insiders 188 Vulnerability: System Subversion 191 Recurring Thread: Forensics—Tracing Data Flow 192 Vulnerability: Weak Authentication 193 Failed Countermeasure: Security through Obscurity 193 Countermeasure: Physical Access Control 195 Countermeasure: Strong Authentication 197 Countermeasure: Trust/Least Privilege 201 Conclusion 203 Recurring Thread: Forensics—Plug-and-Play Devices 204 Exercises 206   Interlude A: Cloud Computing 208 What is Cloud Computing? 209 What are the Risks in the Cloud? 211   Chapter 6: My Cup Runneth Over 214 Attack: What Did You Say That Number Was? 215 Harm: Destruction of Code and Data 216 Vulnerability: Off-by-One Error 228 Vulnerability: Integer Overflow 229 Vulnerability: Unterminated Null-Terminated String 230 Vulnerability: Parameter Length and Number 231 Vulnerability: Unsafe Utility Programs 232 Attack: Important Overflow Exploitation Examples 232 Countermeasure: Programmer Bounds Checking 242 Countermeasure: Programming Language Support 242 Countermeasure: Stack Protection/Tamper Detection 245 Countermeasure: Hardware Protection of Executable Space 247 Countermeasure: General Access Control 259 Conclusion 270 Exercises 272   Chapter 7: He Who Steals My Purse . . . 274 Attack: Veterans’ Administration Laptop Stolen 275 Threat: Loss of Data 276 Extended Threat: Disaster 276 Vulnerability: Physical Access 277 Vulnerability: Unprotected Availability of Data 277 Vulnerability: Unprotected Confidentiality of Data 277 Countermeasure: Policy 278 Countermeasure: Physical Security 278 Countermeasure: Data Redundancy (Backup) 280 Countermeasure: Encryption 284 Countermeasure: Disk Encryption 323 Conclusion 324 Exercises 327   Chapter 8: The Root of All Evil 330 Background: Operating System Structure 331 Attack: Phone Rootkit 335 Attack Details: What Is a Rootkit? 336 Vulnerability: Software Complexity 345 Vulnerability: Difficulty of Detection and Eradication 345 Countermeasure: Simplicity of Design 346 Countermeasure: Trusted Systems 351 Conclusion 362 Exercises 363   Chapter 9: Scanning the Horizon 366 Attack: Investigation, Intrusion, and Compromise 367 Threat: Port Scan 368 Attack Details 369 Harm: Knowledge and Exposure 372 Recurring Thread: Legal—Are Port Scans Legal? 373 Vulnerability: Revealing Too Much 374 Vulnerability: Allowing Internal Access 374 Countermeasure: System Architecture 375 Countermeasure: Firewall 376 Countermeasure: Network Address Translation (NAT) 395 Countermeasure: Security Perimeter 397 Conclusion 398 Exercises 400   Chapter 10: Do You Hear What I Hear? 402 Attack: Wireless (WiFi) Network Access 403 Harm: Confidentiality–Integrity–Availability 410 Attack: Unauthorized Access 412 Vulnerability: Protocol Weaknesses 412 Failed Countermeasure: WEP 416 Stronger but Not Perfect Countermeasure: WPA and WPA2 420 Conclusion 424 Recurring Thread: Privacy—Privacy-Preserving Design 425 Exercises 427   Chapter 11: I Hear You Loud and Clear 430 Attack: Enemies Watch Predator Video 431 Attack Details 432 Threat: Interception 435 Vulnerability: Wiretapping 439 Countermeasure: Encryption 446 Countermeasure: Virtual Private Networks 450 Countermeasure: Cryptographic Key Management Regime 454 Countermeasure: Asymmetric Cryptography 457 Countermeasure: Kerberos 462 Conclusion 466 Recurring Thread: Ethics—Monitoring Users 469 Exercises 470   Interlude B: Electronic Voting 472 What Is Electronic Voting? 473 What Is a Fair Election? 475 What Are the Critical Issues? 475   Chapter 12: Disregard That Man Behind the Curtain 480 Attack: Radar Sees Only Blue Skies 481 Threat: Man in the Middle 482 Threat: “In-the-Middle” Activity 485 Vulnerability: Unwarranted Trust 496 Vulnerability: Failed Identification and Authentication 497 Vulnerability: Unauthorized Access 499 Vulnerability: Inadequate Attention to Program Details 499 Vulnerability: Protocol Weakness 500 Countermeasure: Trust 501 Countermeasure: Identification and Authentication 501 Countermeasure: Cryptography 504 Related Attack: Covert Channel 506 Related Attack: Steganography 515 Conclusion 517 Exercises 518   Chapter 13: Not All Is as It Seems 520 Attacks: Forgeries 521 Threat: Integrity Failure 526 Attack Details 526 Vulnerability: Protocol Weaknesses 538 Vulnerability: Code Flaws 539 Vulnerability: Humans 539 Countermeasure: Digital Signature 541 Countermeasure: Secure Protocols 562 Countermeasure: Access Control 562 Countermeasure: User Education 564 Possible Countermeasure: Analysis 565 Non-Countermeasure: Software Goodness Checker 567 Conclusion 568 Exercises 570   Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay 572 Attack: Cloned RFIDs 573 Threat: Replay Attacks 574 Vulnerability: Reuse of Session Data 576 Countermeasure: Unrepeatable Protocol 576 Countermeasure: Cryptography 579 Conclusion: Replay Attacks 580 Similar Attack: Session Hijack 580 Vulnerability: Electronic Impersonation 584 Vulnerability: Nonsecret Token 584 Countermeasure: Encryption 585 Countermeasure: IPsec 589 Countermeasure: Design 592 Conclusion 593 Exercises 594   Chapter 15: I Can’t Get No Satisfaction 596 Attack: Massive Estonian Web Failure 597 Threat: Denial of Service 598 Threat: Flooding 598 Threat: Blocked Access 599 Threat: Access Failure 600 Case: Beth Israel Deaconess Hospital Systems Down 601 Vulnerability: Insufficient Resources 602 Vulnerability: Addressee Cannot Be Found 607 Vulnerability: Exploitation of Known Vulnerability 609 Vulnerability: Physical Disconnection 609 Countermeasure: Network Monitoring and Administration 610 Countermeasure: Intrusion Detection and Prevention Systems 614 Countermeasure: Management 626 Conclusion: Denial of Service 629 Extended Attack: E Pluribus Contra Unum 631 Technical Details 634 Recurring Thread: Legal—DDoS Crime Does Not Pay 639 Vulnerability: Previously Described Attacks 639 Countermeasures: Preventing Bot Conscription 641 Countermeasures: Handling an Attack Under Way 643 Conclusion: Distributed Denial of Service 644 Exercises 645   Interlude C: Cyber Warfare 648 What Is Cyber Warfare? 649 Examples of Cyber Warfare 650 Critical Issues 652   Chapter 16: ’Twas Brillig, and the Slithy Toves . . . 658 Attack: Grade Inflation 659 Threat: Data Corruption 660 Countermeasure: Codes 663 Countermeasure: Protocols 664 Countermeasure: Procedures 665 Countermeasure: Cryptography 666 Conclusion 669 Exercises 670   Chapter 17: Peering Through the Window 672 Attack: Sharing Too Much 673 Attack Details: Characteristics of Peer-to-Peer Networks 673 Threat: Inappropriate Data Disclosure 676 Threat: Introduction of Malicious Software 677 Threat: Exposure to Unauthorized Access 678 Vulnerability: User Failure to Employ Access Controls 679 Vulnerability: Unsafe User Interface 679 Vulnerability: Malicious Downloaded Software 680 Countermeasure: User Education 681 Countermeasure: Secure-by-Default Software 681 Countermeasure: Legal Action 682 Countermeasure: Outbound Firewall or Guard 684 Conclusion 685 Recurring Thread: Legal—Protecting Computer Objects 687 Exercises 700   Chapter 18: My 100,000 Nearest and Dearest Friends 702 Attack: I See U 703 Threat: Loss of Confidentiality 704 Threat: Data Leakage 705 Threat: Introduction of Malicious Code 706 Attack Details: Unintended Disclosure 707 Vulnerability: Exploiting Trust Relationships 717 Vulnerability: Analysis on Data 718 Vulnerability: Hidden Data Attributes 718 Countermeasure: Data Suppression and Modification 720 Countermeasure: User Awareness and Education 725 Countermeasure: Policy 729 Conclusion 730 Exercises 732   Afterword 734 Challenges Facing Us 735 Critical Issues 737 Moving Forward: Suggested Next Steps for Improving Computer Security 738 And Now for Something a Little Different 742   Bibliography 745 Index 769

About the Author :
Dr. Charles P. Pfleeger, an independent computer and information security consultant, provides threat/vulnerability analysis, design review, training, expert testimony, and security advice to clients worldwide. He was master security architect at Cable and Wireless and Exodus Communications, and professor of computer science at the University of Tennessee. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.   Dr. Shari Lawrence Pfleeger is Director of Research for the Institute for Information Infrastructure Protection at Dartmouth College, a consortium working to protect the U.S. cyber infrastructure. The Journal of Systems and Software has repeatedly named her one of the world’s top software engineering researchers. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.

Review :
“This is a must-read book for any budding Security Architect and also makes a great professional reference. I’d recommend this book to any IT architect or specialist wishing to enter the field of security architectures, as well as to anyone who already has that title and wants a good quality reference book.”-John Hughes, InfoSec Reviews