• Table of Contents

  Page V

• + Preface

  Page IX

  • About This Book

    Page IX

  • + Summary of Contents

    Page IX

    • Part I, Security for Today

      Page IX

    • Part II, Computer Security

      Page X

    • Part III, Communications Security

      Page X

    • Part IV, Other Types of Security

      Page X

    • Part V, Appendixes

      Page 1

  • Using Code Examples

    Page 1

  • Comments and Questions

    Page 1

  • Safari® Enabled

    Page 2

  • Acknowledgments

    Page 2

• Part I

  Page 3

• + Introduction

  Page 5

  • + The New Insecurity

    Page 5

    • + Who You Gonna Call?

      Page 6

      • Information Sharing and Analysis Centers

        Page 7

      • Vulnerable broadband

        Page 8

      • No computer is an island

        Page 9

    • + The Sorry Trail

      Page 9

      • Computer crime

        Page 10

  • + What Is Computer Security?

    Page 11

    • A Broader Definition of Security

      Page 12

    • Secrecy and Confidentiality

      Page 13

    • Accuracy, Integrity, and Authenticity

      Page 13

    • Availability

      Page 14

  • + Threats to Security

    Page 14

    • + Vulnerabilities

      Page 14

      • Physical vulnerabilities

        Page 15

      • Natural vulnerabilities

        Page 15

      • Hardware and software vulnerabilities

        Page 15

      • Media vulnerabilities

        Page 16

      • Emanation vulnerabilities

        Page 16

      • Communications vulnerabilities

        Page 16

      • Human vulnerabilities

        Page 16

      • Exploiting vulnerabilities

        Page 17

    • + Threats

      Page 17

      • Natural and physical threats

        Page 17

      • Unintentional threats

        Page 17

      • Intentional threats

        Page 17

      • Insiders and outsiders

        Page 19

    • + Countermeasures

      Page 19

      • Computer security

        Page 20

      • Communications security

        Page 20

      • Physical security

        Page 20

  • + Why Buy Security?

    Page 20

    • Government Requirements

      Page 21

    • Information Protection

      Page 22

  • What’s a User to Do?

    Page 23

  • Summary

    Page 23

• + Some Security History

  Page 24

  • Information and Its Controls

    Page 24

  • Computer Security: Then and Now

    Page 27

  • + Early Computer Security Efforts

    Page 29

    • Tiger Teams

      Page 31

    • Research and Modeling

      Page 32

    • Secure Systems Development

      Page 33

  • + Building Toward Standardization

    Page 34

    • + Standards for Secure Systems

      Page 34

      • National Computer Security Center

        Page 36

      • Birth of the Orange Book

        Page 37

    • Standards for Cryptography

      Page 38

    • Standards for Emanations

      Page 39

  • + Computer Security Mandates and Legislation

    Page 39

    • The Balancing Act

      Page 40

    • Computer Fraud and Abuse Act

      Page 41

    • Computer Security Act

      Page 42

    • Searching for a Balance

      Page 43

    • Recent Government Security Initiatives

      Page 43

    • Modern Standards for Computer Security

      Page 45

    • GASSP and GAISP Overview

      Page 45

    • Privacy Considerations

      Page 46

  • Summary

    Page 47

• Part II

  Page 49

• + Computer System Security and Access Controls

  Page 51

  • What Makes a System Secure?

    Page 51

  • + System Access: Logging into Your System

    Page 52

    • + Identification and Authentication

      Page 52

      • Multifactor authentication

        Page 53

    • + Login Processes

      Page 53

      • Password Authentication Protocol

        Page 54

      • Challenge Handshake Authentication Protocol (CHAP)

        Page 54

      • Mutual authentication

        Page 54

      • One-time password

        Page 55

      • Per-session authentication

        Page 55

      • Tokens

        Page 55

      • Biometrics

        Page 56

      • Remote access (TACACS and RADIUS)

        Page 56

      • DIAMETER

        Page 57

      • Kerberos

        Page 57

    • + Passwords

      Page 58

      • Protecting passwords

        Page 60

      • Protecting your login and password on entry

        Page 61

      • Protecting your password in storage

        Page 62

      • Password attacks

        Page 63

    • + Authorization

      Page 63

      • Sensitivity labels

        Page 64

      • Access models

        Page 66

    • + Access Control in Practice

      Page 67

      • Discretionary access control

        Page 68

      • Mandatory access control

        Page 71

      • Access decisions

        Page 71

      • Role-based access control

        Page 72

      • Access control lists

        Page 72

    • + Directory Services

      Page 74

      • Email example

        Page 74

      • About X.500

        Page 75

      • Lightweight Directory Access Protocol

        Page 76

    • + Identity Management

      Page 78

      • Financial and legal pressures

        Page 79

  • Summary

    Page 79

• + Viruses and Other Wildlife

  Page 81

  • Financial Effects of Malicious Programs

    Page 81

  • Viruses and Public Health

    Page 82

  • + Viruses, Worms, and Trojans (Oh, My!)

    Page 82

    • + Viruses

      Page 83

      • The history of viruses

        Page 85

    • Worms

      Page 87

    • Trojan Horses

      Page 89

    • Bombs

      Page 90

    • Trap Doors

      Page 91

    • Spoofs and Masquerades

      Page 91

  • Who Writes Viruses?

    Page 92

  • + Remedies

    Page 94

    • Firewalls

      Page 94

    • Antivirus

      Page 94

  • The Virus Hype

    Page 95

  • An Ounce of Prevention

    Page 96

  • Summary

    Page 96

• + Establishing and Maintaining a Security Policy

  Page 98

  • Administrative Security

    Page 99

  • + Overall Planning and Administration

    Page 100

    • + Analyzing Costs and Risks

      Page 101

      • What information do you have, and how important is it?

        Page 101

      • How vulnerable is the information?

        Page 102

      • What is the cost of losing or compromising the information?

        Page 102

      • What is the cost of protecting the information?

        Page 103

      • Who are you going to call?

        Page 103

    • Planning for Disaster

      Page 104

    • Setting Security Rules for Employees

      Page 105

    • Training Users

      Page 105

  • + Day-to-Day Administration

    Page 105

    • Performing Backups

      Page 107

    • Hardware and Software Security Tools

      Page 109

    • Performing a Security Audit

      Page 110

  • Separation of Duties

    Page 111

  • Summary

    Page 112

• + Web Attacks and Internet Vulnerabilities

  Page 114

  • + About the Internet

    Page 114

    • History of Data and Voice Communications

      Page 115

    • Packets, Addresses, and Ports

      Page 116

  • + What Are the Network Protocols?

    Page 118

    • Data Navigation Protocols

      Page 119

    • Data Navigation Protocol Attacks

      Page 120

    • + Other Internet Protocols

      Page 121

      • File Transfer Protocol

        Page 121

      • Simple Mail Transfer Protocol

        Page 121

      • Domain Name Service

        Page 123

      • Dynamic Host Configuration Protocol

        Page 124

      • Network Address Translation

        Page 125

      • Port Address Translation

        Page 126

  • + The Fragile Web

    Page 126

    • How HTML Formats the Web

      Page 127

    • + Advanced Web Services

      Page 127

      • What is a script?

        Page 128

      • Client-side scripting languages

        Page 129

      • Server-side scripting languages

        Page 130

    • + Web Attacks and Preventions

      Page 132

      • Client-side web attacks

        Page 132

      • Server-side web attacks

        Page 133

  • Summary

    Page 135

• Part III

  Page 137

• + Encryption

  Page 139

  • Some History

    Page 140

  • + What Is Encryption?

    Page 143

    • Why Encryption?

      Page 145

    • + Transposition and Substitution Ciphers

      Page 145

      • More about transposition

        Page 146

      • More about substitution

        Page 146

    • + Cryptographic Keys: Private and Public

      Page 148

      • Private key cryptography

        Page 148

      • Public key cryptography

        Page 148

    • Key Management and Distribution

      Page 150

    • One-Time Pad

      Page 152

    • End-to-End and Link Encryption

      Page 153

  • + The Data Encryption Standard

    Page 155

    • What Is the DES?

      Page 156

    • Application of the DES

      Page 160

    • The Advanced Encryption Standard

      Page 162

    • Overview of the AES Development Effort

      Page 162

    • + How AES Works

      Page 163

      • SubBytes

        Page 163

      • Row shift and mix columns

        Page 163

      • Round keys

        Page 165

      • Do it again

        Page 165

  • + Other Cryptographic Algorithms

    Page 165

    • AES Round 1 Candidate Algorithms

      Page 166

    • Public Key Algorithms

      Page 167

    • The RSA Algorithm

      Page 167

    • + Digital Signatures and Certificates

      Page 168

      • Certificates

        Page 169

      • Certificate Authorities

        Page 169

    • Government Algorithms

      Page 170

  • Message Authentication

    Page 171

  • + Government Cryptographic Programs

    Page 172

    • NSA

      Page 172

    • NIST

      Page 172

    • Treasury

      Page 173

  • Cryptographic Export Restrictions

    Page 173

  • Summary

    Page 174

• + Communications and Network Security

  Page 175

  • + What Makes Communication Secure?

    Page 176

    • Communications Vulnerabilities

      Page 177

    • Communications Threats

      Page 178

  • Modems

    Page 179

  • + Networks

    Page 181

    • + Network Terms

      Page 181

      • Protocols and layers

        Page 183

    • Some Network History

      Page 185

    • + Network Media

      Page 186

      • Twisted pair cable

        Page 187

      • Coaxial cable

        Page 187

      • Fiber-optic cable

        Page 187

      • Microwave

        Page 188

      • Satellite

        Page 188

  • + Network Security

    Page 189

    • + Access Control Methods

      Page 190

      • Discretionary access control

        Page 190

      • Role-based access control

        Page 190

      • Mandatory access control

        Page 190

    • Auditing

      Page 191

    • Perimeters and Gateways

      Page 191

    • Security in Heterogeneous Environments

      Page 192

    • + Encrypted Communications

      Page 192

      • End-to-end encryption

        Page 193

      • Link encryption

        Page 193

    • + Through the Tunnel

      Page 193

      • VPNs for remote access

        Page 196

      • VPNs for internetworking

        Page 196

      • VPNs inside the firewall

        Page 196

      • VPN tunneling protocols

        Page 196

    • + Network Security Tasks

      Page 197

      • Communications integrity

        Page 198

      • Denial of service

        Page 198

      • Compromise protection

        Page 199

    • + Securing Communications

      Page 199

      • Internet Protocol Security (IPSec)

        Page 199

    • Kerberos

      Page 200

  • Summary

    Page 201

• Part IV

  Page 203

• + Physical Security and Biometrics

  Page 205

  • + Physical Security

    Page 206

    • + Natural Disasters

      Page 207

      • Fire and smoke

        Page 207

      • Climate

        Page 207

      • Earthquakes and vibration

        Page 208

      • Water

        Page 208

      • Electricity

        Page 208

      • Lightning

        Page 209

    • Risk Analysis and Disaster Planning

      Page 209

  • + Locks and Keys: Old and New

    Page 209

    • Types of Locks

      Page 211

    • Tokens

      Page 212

    • Challenge-Response Systems

      Page 212

    • Cards: Smart and Dumb

      Page 213

  • + Biometrics

    Page 214

    • Retina Patterns

      Page 217

    • Iris Scans

      Page 218

    • Fingerprints

      Page 218

    • Handprints

      Page 219

    • Voice Patterns

      Page 219

    • Keystrokes

      Page 220

    • Signature and Writing Patterns

      Page 220

  • Gentle Reminder

    Page 220

  • Summary

    Page 221

• + Wireless Network Security

  Page 222

  • How We Got Here

    Page 222

  • + Today’s Wireless Infrastructure

    Page 223

    • Wireless Costs

      Page 225

  • How Wireless Works

    Page 227

  • + Playing the Fields

    Page 230

    • Keeping the Waves Inside

      Page 231

  • What Is This dB Stuff?

    Page 233

  • Why Does All This Matter?

    Page 234

  • Encouraging Diversity

    Page 235

  • + Physical Layer Wireless Attacks

    Page 235

    • Hardening Wireless Access Points

      Page 236

    • The Tie That Binds

      Page 238

    • Sophisticated Physical Layer Attacks

      Page 239

    • Forced Degradation Attacks

      Page 240

    • Eavesdropping Attacks

      Page 241

    • Eavesdropping Defenses

      Page 242

    • Advanced Eavesdropping Attacks

      Page 243

    • Rogue Access Points

      Page 244

  • Summary

    Page 247

• Part V

  Page 249

• OSI Model

  Page 251

• + TEMPEST

  Page 254

  • The Problem of Emanations

    Page 254

  • + The TEMPEST Program

    Page 255

    • Faraday Screens

      Page 257

    • Source Suppression

      Page 257

  • TEMPEST Standards

    Page 258

  • Hard As You Try

    Page 258

• + The Orange Book, FIPS PUBS, and the Common Criteria

  Page 260

  • + About the Orange Book

    Page 261

    • + Orange Book Security Concepts

      Page 262

      • Security policy

        Page 263

      • Accountability

        Page 263

      • Assurance

        Page 264

      • Documentation

        Page 265

  • + Rating by the Book

    Page 266

    • Discretionary and Mandatory Access Control

      Page 268

    • Object Reuse

      Page 268

    • + Labels

      Page 268

      • Label integrity

        Page 269

      • Exportation of labeled information

        Page 269

      • Subject sensitivity labels

        Page 271

      • Device labels

        Page 271

  • + Summary of Orange Book Classes

    Page 271

    • D Systems: Minimal Security

      Page 271

    • C1 Systems: Discretionary Security Protection

      Page 271

    • C2 Systems: Controlled Access Protection

      Page 273

    • B1 Systems: Labeled Security Protection

      Page 273

    • B2 Systems: Structured Protection

      Page 274

    • B3 Systems: Security Domains

      Page 274

    • A1 Systems: Verified Design

      Page 275

    • Complaints About the Orange Book

      Page 275

  • FIPS by the Numbers

    Page 275

  • + I Don’t Want You Smelling My Fish

    Page 280

    • Common Criteria Evaluation Assurance Levels (EALs)

      Page 281

• Index

  Page 285

This is the must-have book for a must-know field. Today, general security knowledge is mandatory, and, if you who need to understand the fundamentals, _Computer Security Basics_ 2nd Edition is the book to consult. >
The new edition builds on the well-established principles developed in the original edition and thoroughly updates that core knowledge. For anyone involved with computer security, including security administrators, system administrators, developers, and IT managers, _Computer Security Basics_ 2nd Edition offers a clear overview of the security concepts you need to know, including access controls, malicious software, security policy, cryptography, biometrics, as well as government regulations and standards. >
This handbook describes complicated concepts such as trusted systems, encryption, and mandatory access control in simple terms. It tells you what you need to know to understand the basics of computer security, and it will help you persuade your employees to practice safe computing. >
Topics include: * Computer security concepts * Security breaches, such as viruses and other malicious programs * Access controls * Security policy * Web attacks * Communications and network security * Encryption * Physical security and biometrics * Wireless network security * Computer security and requirements of the Orange Book * OSI Model and TEMPEST