Analyzing Computer Security: A Threat/Vulnerability/Countermeasure Approach, Rough Cuts
- By Charles P. Pfleeger, Shari Lawrence Pfleeger
- Published Mar 29, 2011 by Pearson.
Rough Cuts
- Available to Safari Subscribers
- About Rough Cuts
Rough Cuts are manuscripts that are developed but not yet published, available through Safari. Rough Cuts provide you access to the very latest information on a given topic and offer you the opportunity to interact with the author to influence the final publication.
Also available in other formats.
Description
- Copyright 2011
- Dimensions: 7" x 9-1/8"
- Edition: 1st
- Rough Cuts
- ISBN-10: 0-13-278948-5
- ISBN-13: 978-0-13-278948-6
This is the Rough Cut version of the printed book.
—Charles C. Palmer, IBM Research“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.”
The Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures
Analyzing Computer Security is a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.
In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classic Security in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.
The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.
Coverage includes
- Understanding threats, vulnerabilities, and countermeasures
- Knowing when security is useful, and when it’s useless “security theater”
- Implementing effective identification and authentication systems
- Using modern cryptography and overcoming weaknesses in cryptographic systems
- Protecting against malicious code: viruses, Trojans, worms, rootkits, keyloggers, and more
- Understanding, preventing, and mitigating DOS and DDOS attacks
- Architecting more secure wired and wireless networks
- Building more secure application software and operating systems through more solid designs and layered protection
- Protecting identities and enforcing privacy
- Addressing computer threats in critical areas such as cloud computing, e-voting, cyberwarfare, and social media
Sample Content
Table of Contents
Foreword xxiii
Preface xxvii
About the Authors xxxv
Chapter 1: Security Blanket or Security Theater? 2
How Dependent Are We on Computers? 6
What Is Computer Security? 8
Threats 11
Harm 24
Vulnerabilities 30
Controls 30
Analyzing Security With Examples 33
Conclusion 34
Exercises 35
Chapter 2: Knock, Knock. Who’s There? 38
Attack: Impersonation 39
Attack Details: Failed Authentication 40
Vulnerability: Faulty or Incomplete Authentication 41
Countermeasure: Strong Authentication 47
Conclusion 64
Recurring Thread: Privacy 67
Recurring Thread: Usability 69
Exercises 71
Chapter 3: 2 + 2 = 5 72
Attack: Program Flaw in Spacecraft Software 74
Threat: Program Flaw Leads to Security Failing 75
Vulnerability: Incomplete Mediation 77
Vulnerability: Race Condition 79
Vulnerability: Time-of-Check to Time-of-Use 82
Vulnerability: Undocumented Access Point 84
Ineffective Countermeasure: Penetrate-and-Patch 85
Countermeasure: Identifying and Classifying Faults 86
Countermeasure: Secure Software Design Elements 90
Countermeasure: Secure Software Development Process 97
Good Design 103
Countermeasure: Testing 114
Countermeasure: Defensive Programming 122
Conclusion 123
Recurring Thread: Legal—Redress for Software Failures 125
Exercises 128
Chapter 4: A Horse of a Different Color 130
Attack: Malicious Code 131
Threat: Malware—Virus, Trojan Horse, and Worm 132
Technical Details: Malicious Code 138
Vulnerability: Voluntary Introduction 155
Vulnerability: Unlimited Privilege 157
Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157
Countermeasure: Hygiene 158
Countermeasure: Detection Tools 159
Countermeasure: Error Detecting and Error Correcting Codes 166
Countermeasure: Memory Separation 170
Countermeasure: Basic Security Principles 171
Recurring Thread: Legal—Computer Crime 172
Conclusion 177
Exercises 178
Chapter 5: The Keys to the Kingdom 180
Attack: Keylogging 181
Threat: Illicit Data Access 182
Attack Details 182
Harm: Data and Reputation 186
Vulnerability: Physical Access 186
Vulnerability: Misplaced Tr