Security in Computing, 4th Edition

Product Author Bios

Charles P. Pfleeger is an independent information security consultant and principal of the Pfleeger Consulting Group. He specializes in threat/vulnerability analysis, system design review, certification preparation, expert witness testimony, and training.

Shari Lawrence Pfleeger, a senior information scientist at the RAND Corporation, has written ten books on software engineering, measurement, and quality, including Software Engineering: Theory and Practice, Third Edition (Prentice Hall, 2006). She was named one of the world's top software engineering researchers by the Journal of Systems and Software.

The New State-of-the-Art in Information Security: Now Covers the Economics of Cyber Security and the Intersection of Privacy and Information Security

For years, IT and security professionals and students have turned to Security in Computing as the definitive guide to information about computer security attacks and countermeasures. In their new fourth edition, Charles P. Pfleeger and Shari Lawrence Pfleeger have thoroughly updated their classic guide to reflect today's newest technologies, standards, and trends.

The authors first introduce the core concepts and vocabulary of computer security, including attacks and controls. Next, the authors systematically identify and assess threats now facing programs, operating systems, database systems, and networks. For each threat, they offer best-practice responses.

Security in Computing, Fourth Edition, goes beyond technology, covering crucial management issues faced in protecting infrastructure and information. This edition contains an all-new chapter on the economics of cybersecurity, explaining ways to make a business case for security investments. Another new chapter addresses privacy--from data mining and identity theft, to RFID and e-voting.

New coverage also includes

• Programming mistakes that compromise security: man-in-the-middle, timing, and privilege escalation attacks
• Web application threats and vulnerabilities
• Networks of compromised systems: bots, botnets, and drones
• Rootkits--including the notorious Sony XCP
• Wi-Fi network security challenges, standards, and techniques
• New malicious code attacks, including false interfaces and keystroke loggers
• Improving code quality: software engineering, testing, and liability approaches
• Biometric authentication: capabilities and limitations
• Using the Advanced Encryption System (AES) more effectively
• Balancing dissemination with piracy control in music and other digital content
• Countering new cryptanalytic attacks against RSA, DES, and SHA
• Responding to the emergence of organized attacker groups pursuing profit

Supplements

Educational Supplements

This site contains material supplemental to Security in Computing, 4/e, including:

• PowerPoint slides of the text illustrations: figures-1.zip and figures-2.zip
  
• Links to related videos.
  
• Links to security-related Web sites picked by the authors.
  
• Updated sidebars abstracting computer security reports and articles, with links to the full text.
  
• Sample syllabi for using the book in college-level courses.
  
• Instructor's Manual - Professors, please contact your local Prentice Hall Sales Representative.
  

For further information about the authors, you may wish to visit Shari Lawrence Pfleeger's Web site or Charles Pfleeger's Web Site.

Videos

(Link check: After links in this list you will find a month and year in parentheses to show when the link was last checked and found to be valid. Please help us maintain the currency of this list by reporting any inactive links.)

Nova sometimes does interesting one-hour stories on things related to computer security. For example, there was a program called "Secrets, Lies and Atomic Spies," that chronicles the spies in the 1940s and how they operated. There is information about coded messages, examples of ciphers, and so on. Others are called "Decoding Nazi Secrets," "Secrets of Making Money," and "The KGB, the Computer and Me" (a version of Cliff Stoll's "Stalking the Wily Hacker"). (Dec 06)

The PBS program Frontline is also an excellent source of good, accurate stories of interest in computer security. In "Hackers" they interview people from security professionals to hackers to understand the hacker threat. Read the interviews at http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/dangers.html. Related to the economics of cybersecurity (Chapter 9) Frontline also interviewed professionals on measuring the costs of cybercrime. Read the interviews at http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/cost.html. The interviews also covered web surfing privacy (Chapter 10) and web bugs, cookies, and tracking. The interviews are at http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/corphack.html. (Dec 06)

The BBC program Panorama does hard-hitting documentaries, and some of their programs are available on video. Examples that might interest you are "Cyber Attack" (With the world still reeling from the Lovebug virus, which infected millions of computers Panorama viewer John Chamberlain decided to test the security of the Powergen website after seeing the program, and exposed flaws in their protection of personal information.) See http://news.bbc.co.uk/1/hi/programmes/panorama/817114.stm ) and "Attack of the Cyber Pirates". Unfortunately, Panorama has not done any episodes on computer security topics recently. (Dec 06)

Commercial Portals and Private Links Lists

Many security portals have links to web sites related to security. And although they are not portals in the commercial sense, some computer security researchers maintain extensive lists of links. Several good portal sites are:
Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS) provides a hotlist of links to websites, publications, and events in security. (Dec 06)

The Computer Emergency Response Team Coordinating Center (CERT-CC), located at the Software Engineering Institute at Carnegie Mellon University, is a center of Internet security expertise. The center's research involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help improve security at your site. (Dec 06)

The SANS (SysAdmin, Audit, Network, Security) Institute site offers resources such as their lists of top vulnerabilities and FAQs on topics such as malware and intrusion detection. In addition, SANS provides a reading room with over 1700 articles and references related to information security. (Dec 06)

InfosysSec is a comprehensive portal for information security links. In addition to a scrolling list of pointers to security news items, they publish links to many newsletters, tools, research resources, commercial white papers. The site is indexed and searchable. (Dec 06)

SecurityFocus, Inc. provides a library of vulnerabilities, news articles, and white papers related to computer security. Especially noteworthy is its famous bugtraq archive/mailing list of security-relevant flaws. (Dec 06)

The Institute for Electrical and Electronics Engineers (IEEE) Computer Society, Technical Committee on Security and Privacy maintains a good listing of journals and conferences in security. Its newsletter, Cipher, provides information on past and upcoming workshops and conferences, book reviews, and reports all related to computer security. It calendar of events is a comprehensive listing of upcoming computer security conferences. (Dec 06)

The National Institute of Standards and Technology (NIST) early security papers archive has copies of some of the original and sometimes hard-to-find papers in security. (Dec 06)

Ross Anderson's web page at is a veritable treasure trove of good links. One of the top researchers in computer security, Anderson organizes his web page by his own research interest topics. But because he is interested in so many facets of computer security, his links will lead you many of the important topics in computer security. (Dec 06)

Similarly, Bruce Schneier is an eminent computer security researcher with broad interests. Schneier's web site covers his blog of current incidents and issues in the field, with some well-based predictions for the future. (Dec 06)

Tom Dunigan's web page has lots of resources, although he is not maintaining it regularly these days. (Dec 06)<

Related Articles

Abusing and Misusing Wireless Cameras

Data Loss and Full Disk Encryption

Information as a Weapon of Mass Destruction

Author's Site

For further information about the authors, you may wish to visit Shari Lawrence Pfleeger's Web site or Charles Pfleeger's Web Site.

Online Sample Chapter

Is There a Security Problem in Computing?

Index

Download the Index from this book.

Foreword

Download the Foreword from this book.

Table of Contents

Foreword     xix
Preface     xxv Chapter 1: Is There a Security Problem in Computing?     1

  1.1    What Does "Secure" Mean?     1
  1.2    Attacks     5
  1.3    The Meaning of Computer Security     9
  1.4    Computer Criminals     21
  1.5    Methods of Defense     23
  1.6    What's Next     30
  1.7    Summary     32
  1.8    Terms and Concepts     32
  1.9    Where the Field Is Headed     33
1.10    To Learn More     34
1.11     Exercises     34

  2.1    Terminology and Background     38
  2.2    Substitution Ciphers     44
  2.3    Transpositions (Permutations)     55
  2.4    Making "Good" Encryption Algorithms     59
  2.5    The Data Encryption Standard     68
  2.6    The AES Encryption Algorithm     72
  2.7    Public Key Encryption     75
  2.8    The Uses of Encryption     79
  2.9    Summary of Encryption     91
2.10    Terms and Concepts     92
2.11    Where the Field Is Headed     93
2.12    To Learn More     94
2.13    Exercises     94

  3.1    Secure Programs     99
  3.2    Nonmalicious Program Errors     103
  3.3    Viruses and Other Malicious Code     111
  3.4    Targeted Malicious Code     141
  3.5    Controls Against Program Threats     160
  3.6    Summary of Program Threats and Controls     181
  3.7    Terms and Concepts     182
  3.8    Where the Field Is Headed     183
  3.9    To Learn More     185
3.10    Exercises     185

  4.1    Protected Objects and Methods of Protection     189
  4.2    Memory and Address Protection     193
  4.3    Control of Access to General Objects     204
  4.4    File Protection Mechanisms     215
  4.5    User Authentication     219
  4.6    Summary of Security for Users     236
  4.7    Terms and Concepts     237
  4.8    Where the Field Is Headed     238
  4.9    To Learn More     239
4.10    Exercises     239

  5.1    What Is a Trusted System?     243
  5.2    Security Policies     245
  5.3    Models of Security     252
  5.4    Trusted Operating System Design     264
  5.5    Assurance in Trusted Operating Systems     287
  5.6    Summary of Security in Operating Systems     312
  5.7    Terms and Concepts     313
  5.8    Where the Field Is Headed     315
  5.9    To Learn More     315
5.10    Exercises     316

  6.1    Introduction to Databases     319
  6.2    Security Requirements     324
  6.3    Reliability and Integrity     329
  6.4    Sensitive Data     335
  6.5    Inference     341
  6.6    Multilevel Databases     351
  6.7    Proposals for Multilevel Security     356
  6.8    Data Mining     367
  6.9    Summary of Database Security     371
6.10    Terms and Concepts     371
6.11    Where the Field Is Headed     372
6.12    To Learn More     373
6.13    Exercises     373

  7.1    Network Concepts     377
  7.2    Threats in Networks     396
  7.3    Network Security Controls     440
  7.4    Firewalls     474
  7.5    Intrusion Detection Systems     484
  7.6    Secure E-mail     490
  7.7    Summary of Network Security     496
  7.8    Terms and Concepts     498
  7.9    Where the Field Is Headed     500
7.10    To Learn More     502
7.11    Exercises     502

  8.1    Security Planning     509
  8.2    Risk Analysis     524
  8.3    Organizational Security Policies     547
  8.4    Physical Security     556
  8.5    Summary     566
  8.6    Terms and Concepts     567
  8.7    To Learn More     568
  8.8    Exercises     569

  9.1    Making a Business Case     572
  9.2    Quantifying Security     578
  9.3    Modeling Cybersecurity     589
  9.5    Summary     599
  9.6    Terms and Concepts     600
  9.7    To Learn More     601
  9.8    Exercises     601

10.1      Privacy Concepts     604
10.2      Privacy Principles and Policies     608
10.3      Authentication and Privacy     619
10.4      Data Mining     623
10.5      Privacy on the Web     626
10.6      E-mail Security     635
10.7      Impacts on Emerging Technologies     638
10.8      Summary     643
10.9      Terms and Concepts     643
10.10    Where the Field Is Headed     645
10.11    To Learn More     645
10.12    Exercises     646

11.1     Protecting Programs and Data     649
11.2     Information and the Law     663
11.3     Rights of Employees and Employers     670
11.4     Redress for Software Failures     673
11.5     Computer Crime     679
11.6     Ethical Issues in Computer Security     692
11.7     Case Studies of Ethics     698
11.8     Terms and Concepts     714
11.9     To Learn More     714
11.10   Exercises     715

12.1    Mathematics for Cryptography  718
12.2    Symmetric Encryption     730
12.3    Public Key Encryption Systems     757
12.4     Quantum Cryptography     774
12.5    Summary of Encryption     778
12.6    Terms and Concepts     778
12.7    Where the Field Is Headed     779
12.8    To Learn More     779
12.9    Exercises     779

Downloadable Sample Chapter

Download the Sample Chapter from this book.