Analyzing Computer Security

Description

Foreword xxiii

Preface xxvii

About the Authors xxxv

Chapter 1: Security Blanket or Security Theater? 2

How Dependent Are We on Computers? 6

What Is Computer Security? 8

Threats 11

Harm 24

Vulnerabilities 30

Controls 30

Analyzing Security With Examples 33

Conclusion 34

Exercises 35

Chapter 2: Knock, Knock. Who’s There? 38

Attack: Impersonation 39

Attack Details: Failed Authentication 40

Vulnerability: Faulty or Incomplete Authentication 41

Countermeasure: Strong Authentication 47

Conclusion 64

Recurring Thread: Privacy 67

Recurring Thread: Usability 69

Exercises 71

Chapter 3: 2 + 2 = 5 72

Attack: Program Flaw in Spacecraft Software 74

Threat: Program Flaw Leads to Security Failing 75

Vulnerability: Incomplete Mediation 77

Vulnerability: Race Condition 79

Vulnerability: Time-of-Check to Time-of-Use 82

Vulnerability: Undocumented Access Point 84

Ineffective Countermeasure: Penetrate-and-Patch 85

Countermeasure: Identifying and Classifying Faults 86

Countermeasure: Secure Software Design Elements 90

Countermeasure: Secure Software Development Process 97

Good Design 103

Countermeasure: Testing 114

Countermeasure: Defensive Programming 122

Conclusion 123

Recurring Thread: Legal—Redress for Software Failures 125

Exercises 128

Chapter 4: A Horse of a Different Color 130

Attack: Malicious Code 131

Threat: Malware—Virus, Trojan Horse, and Worm 132

Technical Details: Malicious Code 138

Vulnerability: Voluntary Introduction 155

Vulnerability: Unlimited Privilege 157

Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157

Countermeasure: Hygiene 158

Countermeasure: Detection Tools 159

Countermeasure: Error Detecting and Error Correcting Codes 166

Countermeasure: Memory Separation 170

Countermeasure: Basic Security Principles 171

Recurring Thread: Legal—Computer Crime 172

Conclusion 177

Exercises 178

Chapter 5: The Keys to the Kingdom 180

Attack: Keylogging 181

Threat: Illicit Data Access 182

Attack Details 182

Harm: Data and Reputation 186

Vulnerability: Physical Access 186

Vulnerability: Misplaced Trust 187

Vulnerability: Insiders 189

Vulnerability: System Subversion 191

Recurring Thread: Forensics—Tracing Data Flow 193

Vulnerability: Weak Authentication 194

Failed Countermeasure: Security through Obscurity 194

Countermeasure: Physical Access Control 196

Countermeasure: Strong Authentication 198

Countermeasure: Trust/Least Privilege 202

Conclusion 204

Recurring Thread: Forensics—Plug-and-Play Devices 205

Exercises 207

Interlude A: Cloud Computing 210

What Is Cloud Computing? 211

What Are the Risks in the Cloud? 213

Chapter 6: My Cup Runneth Over 216

Attack: What Did You Say That Number Was? 217

Harm: Destruction of Code and Data 218

Vulnerability: Off-by-One Error 230

Vulnerability: Integer Overflow 231

Vulnerability: Unterminated Null-Terminated String 232

Vulnerability: Parameter Length and Number 233

Vulnerability: Unsafe Utility Programs 234

Attack: Important Overflow Exploitation Examples 234

Countermeasure: Programmer Bounds Checking 244

Countermeasure: Programming Language Support 244

Countermeasure: Stack Protection/Tamper Detection 247

Countermeasure: Hardware Protection of Executable Space 249

Countermeasure: General Access Control 261

Conclusion 272

Exercises 274

Chapter 7: He Who Steals My Purse . . . 276

Attack: Veterans’ Administration Laptop Stolen 277

Threat: Loss of Data 278

Extended Threat: Disaster 278

Vulnerability: Physical Access 279

Vulnerability: Unprotected Availability of Data 279

Vulnerability: Unprotected Confidentiality of Data 279

Countermeasure: Policy 280

Countermeasure: Physical Security 280

Countermeasure: Data Redundancy (Backup) 282

Countermeasure: Encryption 286

Countermeasure: Disk Encryption 325

Conclusion 326

Exercises 329

Chapter 8: The Root of All Evil 332

Background: Operating System Structure 333

Attack: Phone Rootkit 337

Attack Details: What Is a Rootkit? 338

Vulnerability: Software Complexity 347

Vulnerability: Difficulty of Detection and Eradication 347

Countermeasure: Simplicity of Design 348

Countermeasure: Trusted Systems 353

Conclusion 364

Exercises 365

Chapter 9: Scanning the Horizon 368

Attack: Investigation, Intrusion, and Compromise 369

Threat: Port Scan 370

Attack Details 371

Harm: Knowledge and Exposure 374

Recurring Thread: Legal—Are Port Scans Legal? 375

Vulnerability: Revealing Too Much 376

Vulnerability: Allowing Internal Access 376

Countermeasure: System Architecture 377

Countermeasure: Firewall 378

Countermeasure: Network Address Translation (NAT) 397

Countermeasure: Security Perimeter 399

Conclusion 400

Exercises 402

Chapter 10: Do You Hear What I Hear? 404

Attack: Wireless (WiFi) Network Access 405

Harm: Confidentiality–Integrity–Availability 412

Attack: Unauthorized Access 414

Vulnerability: Protocol Weaknesses 414

Failed Countermeasure: WEP 418

Stronger but Not Perfect Countermeasure: WPA and WPA2 422

Conclusion 426

Recurring Thread: Privacy—Privacy-Preserving Design 427

Exercises 429

Chapter 11: I Hear You Loud and Clear 432

Attack: Enemies Watch Predator Video 433

Attack Details 434

Threat: Interception 437

Vulnerability: Wiretapping 441

Countermeasure: Encryption 448

Countermeasure: Virtual Private Networks 452

Countermeasure: Cryptographic Key Management Regime 456

Countermeasure: Asymmetric Cryptography 459

Countermeasure: Kerberos 464

Conclusion 468

Recurring Thread: Ethics—Monitoring Users 471

Exercises 472

Interlude B: Electronic Voting 474

What Is Electronic Voting? 475

What Is a Fair Election? 477

What Are the Critical Issues? 477

Chapter 12: Disregard That Man Behind the Curtain 482

Attack: Radar Sees Only Blue Skies 483

Threat: Man in the Middle 484

Threat: “In-the-Middle” Activity 487

Vulnerability: Unwarranted Trust 498

Vulnerability: Failed Identification and Authentication 499

Vulnerability: Unauthorized Access 501

Vulnerability: Inadequate Attention to Program Details 501

Vulnerability: Protocol Weakness 502

Countermeasure: Trust 503

Countermeasure: Identification and Authentication 503

Countermeasure: Cryptography 506

Related Attack: Covert Channel 508

Related Attack: Steganography 517

Conclusion 519

Exercises 520

Chapter 13: Not All Is as It Seems 524

Attacks: Forgeries 525

Threat: Integrity Failure 530

Attack Details 530

Vulnerability: Protocol Weaknesses 542

Vulnerability: Code Flaws 543

Vulnerability: Humans 543

Countermeasure: Digital Signature 545

Countermeasure: Secure Protocols 566

Countermeasure: Access Control 566

Countermeasure: User Education 568

Possible Countermeasure: Analysis 569

Non-Countermeasure: Software Goodness Checker 571

Conclusion 572

Exercises 574

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay 576

Attack: Cloned RFIDs 577

Threat: Replay Attacks 578

Vulnerability: Reuse of Session Data 580

Countermeasure: Unrepeatable Protocol 580

Countermeasure: Cryptography 583

Conclusion: Replay Attacks 584

Similar Attack: Session Hijack 584

Vulnerability: Electronic Impersonation 588

Vulnerability: Nonsecret Token 588

Countermeasure: Encryption 589

Countermeasure: IPsec 593

Countermeasure: Design 596

Conclusion 597

Exercises 598

Chapter 15: I Can’t Get No Satisfaction 600

Attack: Massive Estonian Web Failure 601

Threat: Denial of Service 602

Threat: Flooding 602

Threat: Blocked Access 603

Threat: Access Failure 604

Case: Beth Israel Deaconess Hospital Systems Down 605

Vulnerability: Insufficient Resources 606

Vulnerability: Addressee Cannot Be Found 611

Vulnerability: Exploitation of Known Vulnerability 613

Vulnerability: Physical Disconnection 613

Countermeasure: Network Monitoring and Administration 614

Countermeasure: Intrusion Detection and Prevention Systems 618

Countermeasure: Management 630

Conclusion: Denial of Service 633

Extended Attack: E Pluribus Contra Unum 635

Technical Details 638

Recurring Thread: Legal—DDoS Crime Does Not Pay 643

Vulnerability: Previously Described Attacks 643

Countermeasures: Preventing Bot Conscription 645

Countermeasures: Handling an Attack Under Way 647

Conclusion: Distributed Denial of Service 648

Exercises 649

Interlude C: Cyber Warfare 652

What Is Cyber Warfare? 653

Examples of Cyber Warfare 654

Critical Issues 656

Chapter 16: ’Twas Brillig, and the Slithy Toves . . . 662

Attack: Grade Inflation 663

Threat: Data Corruption 664

Countermeasure: Codes 667

Countermeasure: Protocols 668

Countermeasure: Procedures 669

Countermeasure: Cryptography 670

Conclusion 673

Exercises 674

Chapter 17: Peering through the Window 676

Attack: Sharing Too Much 677

Attack Details: Characteristics of Peer-to-Peer Networks 677

Threat: Inappropriate Data Disclosure 680

Threat: Introduction of Malicious Software 681

Threat: Exposure to Unauthorized Access 682

Vulnerability: User Failure to Employ Access Controls 683

Vulnerability: Unsafe User Interface 683

Vulnerability: Malicious Downloaded Software 684

Countermeasure: User Education 685

Countermeasure: Secure-by-Default Software 685

Countermeasure: Legal Action 686

Countermeasure: Outbound Firewall or Guard 688

Conclusion 689

Recurring Thread: Legal—Protecting Computer Objects 691

Exercises 704

Chapter 18: My 100,000 Nearest and Dearest Friends 706

Attack: I See U 707

Threat: Loss of Confidentiality 708

Threat: Data Leakage 709

Threat: Introduction of Malicious Code 710

Attack Details: Unintended Disclosure 711

Vulnerability: Exploiting Trust Relationships 721

Vulnerability: Analysis on Data 722

Vulnerability: Hidden Data Attributes 722

Countermeasure: Data Suppression and Modification 724

Countermeasure: User Awareness and Education 729

Countermeasure: Policy 733

Conclusion 734

Exercises 736

Afterword 738

Challenges Facing Us 739

Critical Issues 741

Moving Forward: Suggested Next Steps for Improving Computer Security 742

And Now for Something a Little Different 746

Bibliography 749

Index 773

“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.”

—Charles C. Palmer, IBM Research

The Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures

Analyzing Computer Security is a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.

In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classic Security in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.

The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.

Coverage includes

• Understanding threats, vulnerabilities, and countermeasures
• Knowing when security is useful, and when it’s useless “security theater”
• Implementing effective identification and authentication systems
• Using modern cryptography and overcoming weaknesses in cryptographic systems
• Protecting against malicious code: viruses, Trojans, worms, rootkits, keyloggers, and more
• Understanding, preventing, and mitigating DOS and DDOS attacks
• Architecting more secure wired and wireless networks
• Building more secure application software and operating systems through more solid designs and layered protection
• Protecting identities and enforcing privacy
• Addressing computer threats in critical areas such as cloud computing, e-voting, cyberwarfare, and social media

• Introduces computer security the way today’s practitioners want to learn it: by identifying threats, explaining the vulnerabilities that cause them, and presenting effective countermeasures
• Contains up-to-date coverage of security management, risk analysis, privacy, controls, forensics, insider attacks, human factors, trust, and more
• Includes 273 problems and 192 illustrations

Dr. Charles P. Pfleeger, an independent computer and information security consultant, provides threat/vulnerability analysis, design review, training, expert testimony, and security advice to clients worldwide. He was master security architect at Cable and Wireless and Exodus Communications, and professor of computer science at the University of Tennessee. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.

Dr. Shari Lawrence Pfleeger is Director of Research for the Institute for Information Infrastructure Protection at Dartmouth College, a consortium working to protect the U.S. cyber infrastructure. The Journal of Systems and Software has repeatedly named her one of the world’s top software engineering researchers. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.

A fresh new approach to computer security by the authors of the 20-year best-selling classic Security in Computing

 

• Introduces computer security the way today’s practitioners want to learn it: by identifying threats, explaining the vulnerabilities that cause them, and presenting effective countermeasures
• Contains up-to-date coverage of security management, risk analysis, privacy, controls, forensics, insider attacks, human factors, trust, and more
• Includes 273 problems and 192 illustrations

“This is a must-read book for any budding Security Architect and also makes a great professional reference. I’d recommend this book to any IT architect or specialist wishing to enter the field of security architectures, as well as to anyone who already has that title and wants a good quality reference book.”-John Hughes, InfoSec Reviews

In this book, the authors of the 20-year best-selling classic Security in Computing take a fresh, contemporary, and powerfully relevant new approach to introducing computer security.

 

Organised around attacks and mitigations, the Pfleegers’ new Analyzing Computer Security will attract students’ attention by building on the high-profile security failures they may have already encountered in the popular media. Each section starts with an attack description. Next, the authors explain the vulnerabilities that have allowed this attack to occur. With this foundation in place, they systematically present today’s most effective countermeasures for blocking or weakening the attack. One step at a time, students progress from attack/problem/harm to solution/protection/mitigation, building the powerful real-world problem solving skills they need to succeed as information security professionals. Analyzing Computer Security addresses crucial contemporary computer security themes throughout, including effective security management and risk analysis; economics and quantitative study; privacy, ethics, and laws; and the use of overlapping controls. The authors also present significant new material on computer forensics, insiders, human factors, and trust.

 

Additional information

Dimensions	1.30 × 7.10 × 9.30 in
Imprint	Pearson
Format	gen
ISBN-13	09780132789462
ISBN-10	0132789469
Author	Shari Lawrence Pfleeger, Charles P. Pfleeger
BISAC	COM053000
Subjects	cybersecurity, professional, hacking, higher education, COM053000, Employability, IT Professional, W-60 PROFESSIONAL ENGINEERING