Home > Store

Analyzing Computer Security: A Threat / Vulnerability / Countermeasure Approach

Register your product to gain access to bonus material or receive a coupon.

Analyzing Computer Security: A Threat / Vulnerability / Countermeasure Approach

Best Value Purchase

Book + eBook Bundle

  • Your Price: $130.30
  • List Price: $207.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

More Purchase Options


  • Your Price: $97.75
  • List Price: $115.00
  • Usually ships in 24 hours.

eBook (Watermarked)

  • Your Price: $79.04
  • List Price: $92.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.



  • Introduces computer security the way today's practitioners want to learn it: by identifying threats, explaining the vulnerabilities that cause them, and presenting effective countermeasures
  • Contains up-to-date coverage of security management, risk analysis, privacy, controls, forensics, insider attacks, human factors, trust, and more
  • Includes 273 problems and 192 illustrations


  • Copyright 2012
  • Dimensions: 7" x 9-1/8"
  • Pages: 848
  • Edition: 1st
  • Book
  • ISBN-10: 0-13-278946-9
  • ISBN-13: 978-0-13-278946-2

“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.”

—Charles C. Palmer, IBM Research

The Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures

Analyzing Computer Security is a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.

In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classic Security in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.

The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.

Coverage includes

  • Understanding threats, vulnerabilities, and countermeasures
  • Knowing when security is useful, and when it’s useless “security theater”
  • Implementing effective identification and authentication systems
  • Using modern cryptography and overcoming weaknesses in cryptographic systems
  • Protecting against malicious code: viruses, Trojans, worms, rootkits, keyloggers, and more
  • Understanding, preventing, and mitigating DOS and DDOS attacks
  • Architecting more secure wired and wireless networks
  • Building more secure application software and operating systems through more solid designs and layered protection
  • Protecting identities and enforcing privacy
  • Addressing computer threats in critical areas such as cloud computing, e-voting, cyberwarfare, and social media

Sample Content

Online Sample Chapter

Security Blanket or Security Theater?

Sample Pages

Download the sample pages (includes Chapter 1 and Index)

Table of Contents

Foreword xxiii

Preface xxvii

About the Authors xxxv

Chapter 1: Security Blanket or Security Theater? 2

How Dependent Are We on Computers? 6

What Is Computer Security? 8

Threats 11

Harm 24

Vulnerabilities 30

Controls 30

Analyzing Security With Examples 33

Conclusion 34

Exercises 35

Chapter 2: Knock, Knock. Who’s There? 38

Attack: Impersonation 39

Attack Details: Failed Authentication 40

Vulnerability: Faulty or Incomplete Authentication 41

Countermeasure: Strong Authentication 47

Conclusion 64

Recurring Thread: Privacy 67

Recurring Thread: Usability 69

Exercises 71

Chapter 3: 2 + 2 = 5 72

Attack: Program Flaw in Spacecraft Software 74

Threat: Program Flaw Leads to Security Failing 75

Vulnerability: Incomplete Mediation 77

Vulnerability: Race Condition 79

Vulnerability: Time-of-Check to Time-of-Use 82

Vulnerability: Undocumented Access Point 84

Ineffective Countermeasure: Penetrate-and-Patch 85

Countermeasure: Identifying and Classifying Faults 86

Countermeasure: Secure Software Design Elements 90

Countermeasure: Secure Software Development Process 97

Good Design 103

Countermeasure: Testing 114

Countermeasure: Defensive Programming 122

Conclusion 123

Recurring Thread: Legal—Redress for Software Failures 125

Exercises 128

Chapter 4: A Horse of a Different Color 130

Attack: Malicious Code 131

Threat: Malware—Virus, Trojan Horse, and Worm 132

Technical Details: Malicious Code 138

Vulnerability: Voluntary Introduction 155

Vulnerability: Unlimited Privilege 157

Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157

Countermeasure: Hygiene 158

Countermeasure: Detection Tools 159

Countermeasure: Error Detecting and Error Correcting Codes 166

Countermeasure: Memory Separation 170

Countermeasure: Basic Security Principles 171

Recurring Thread: Legal—Computer Crime 172

Conclusion 177

Exercises 178

Chapter 5: The Keys to the Kingdom 180

Attack: Keylogging 181

Threat: Illicit Data Access 182

Attack Details 182

Harm: Data and Reputation 186

Vulnerability: Physical Access 186

Vulnerability: Misplaced Trust 187

Vulnerability: Insiders 189

Vulnerability: System Subversion 191

Recurring Thread: Forensics—Tracing Data Flow 193

Vulnerability: Weak Authentication 194

Failed Countermeasure: Security through Obscurity 194

Countermeasure: Physical Access Control 196

Countermeasure: Strong Authentication 198

Countermeasure: Trust/Least Privilege 202

Conclusion 204

Recurring Thread: Forensics—Plug-and-Play Devices 205

Exercises 207

Interlude A: Cloud Computing 210

What Is Cloud Computing? 211

What Are the Risks in the Cloud? 213

Chapter 6: My Cup Runneth Over 216

Attack: What Did You Say That Number Was? 217

Harm: Destruction of Code and Data 218

Vulnerability: Off-by-One Error 230

Vulnerability: Integer Overflow 231

Vulnerability: Unterminated Null-Terminated String 232

Vulnerability: Parameter Length and Number 233

Vulnerability: Unsafe Utility Programs 234

Attack: Important Overflow Exploitation Examples 234

Countermeasure: Programmer Bounds Checking 244

Countermeasure: Programming Language Support 244

Countermeasure: Stack Protection/Tamper Detection 247

Countermeasure: Hardware Protection of Executable Space 249

Countermeasure: General Access Control 261

Conclusion 272

Exercises 274

Chapter 7: He Who Steals My Purse . . . 276

Attack: Veterans’ Administration Laptop Stolen 277

Threat: Loss of Data 278

Extended Threat: Disaster 278

Vulnerability: Physical Access 279

Vulnerability: Unprotected Availability of Data 279

Vulnerability: Unprotected Confidentiality of Data 279

Countermeasure: Policy 280

Countermeasure: Physical Security 280

Countermeasure: Data Redundancy (Backup) 282

Countermeasure: Encryption 286

Countermeasure: Disk Encryption 325

Conclusion 326

Exercises 329

Chapter 8: The Root of All Evil 332

Background: Operating System Structure 333

Attack: Phone Rootkit 337

Attack Details: What Is a Rootkit? 338

Vulnerability: Software Complexity 347

Vulnerability: Difficulty of Detection and Eradication 347

Countermeasure: Simplicity of Design 348

Countermeasure: Trusted Systems 353

Conclusion 364

Exercises 365

Chapter 9: Scanning the Horizon 368

Attack: Investigation, Intrusion, and Compromise 369

Threat: Port Scan 370

Attack Details 371

Harm: Knowledge and Exposure 374

Recurring Thread: Legal—Are Port Scans Legal? 375

Vulnerability: Revealing Too Much 376

Vulnerability: Allowing Internal Access 376

Countermeasure: System Architecture 377

Countermeasure: Firewall 378

Countermeasure: Network Address Translation (NAT) 397

Countermeasure: Security Perimeter 399

Conclusion 400

Exercises 402

Chapter 10: Do You Hear What I Hear? 404

Attack: Wireless (WiFi) Network Access 405

Harm: Confidentiality–Integrity–Availability 412

Attack: Unauthorized Access 414

Vulnerability: Protocol Weaknesses 414

Failed Countermeasure: WEP 418

Stronger but Not Perfect Countermeasure: WPA and WPA2 422

Conclusion 426

Recurring Thread: Privacy—Privacy-Preserving Design 427

Exercises 429

Chapter 11: I Hear You Loud and Clear 432

Attack: Enemies Watch Predator Video 433

Attack Details 434

Threat: Interception 437

Vulnerability: Wiretapping 441

Countermeasure: Encryption 448

Countermeasure: Virtual Private Networks 452

Countermeasure: Cryptographic Key Management Regime 456

Countermeasure: Asymmetric Cryptography 459

Countermeasure: Kerberos 464

Conclusion 468

Recurring Thread: Ethics—Monitoring Users 471

Exercises 472

Interlude B: Electronic Voting 474

What Is Electronic Voting? 475

What Is a Fair Election? 477

What Are the Critical Issues? 477

Chapter 12: Disregard That Man Behind the Curtain 482

Attack: Radar Sees Only Blue Skies 483

Threat: Man in the Middle 484

Threat: “In-the-Middle” Activity 487

Vulnerability: Unwarranted Trust 498

Vulnerability: Failed Identification and Authentication 499

Vulnerability: Unauthorized Access 501

Vulnerability: Inadequate Attention to Program Details 501

Vulnerability: Protocol Weakness 502

Countermeasure: Trust 503

Countermeasure: Identification and Authentication 503

Countermeasure: Cryptography 506

Related Attack: Covert Channel 508

Related Attack: Steganography 517

Conclusion 519

Exercises 520

Chapter 13: Not All Is as It Seems 524

Attacks: Forgeries 525

Threat: Integrity Failure 530

Attack Details 530

Vulnerability: Protocol Weaknesses 542

Vulnerability: Code Flaws 543

Vulnerability: Humans 543

Countermeasure: Digital Signature 545

Countermeasure: Secure Protocols 566

Countermeasure: Access Control 566

Countermeasure: User Education 568

Possible Countermeasure: Analysis 569

Non-Countermeasure: Software Goodness Checker 571

Conclusion 572

Exercises 574

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay 576

Attack: Cloned RFIDs 577

Threat: Replay Attacks 578

Vulnerability: Reuse of Session Data 580

Countermeasure: Unrepeatable Protocol 580

Countermeasure: Cryptography 583

Conclusion: Replay Attacks 584

Similar Attack: Session Hijack 584

Vulnerability: Electronic Impersonation 588

Vulnerability: Nonsecret Token 588

Countermeasure: Encryption 589

Countermeasure: IPsec 593

Countermeasure: Design 596

Conclusion 597

Exercises 598

Chapter 15: I Can’t Get No Satisfaction 600

Attack: Massive Estonian Web Failure 601

Threat: Denial of Service 602

Threat: Flooding 602

Threat: Blocked Access 603

Threat: Access Failure 604

Case: Beth Israel Deaconess Hospital Systems Down 605

Vulnerability: Insufficient Resources 606

Vulnerability: Addressee Cannot Be Found 611

Vulnerability: Exploitation of Known Vulnerability 613

Vulnerability: Physical Disconnection 613

Countermeasure: Network Monitoring and Administration 614

Countermeasure: Intrusion Detection and Prevention Systems 618

Countermeasure: Management 630

Conclusion: Denial of Service 633

Extended Attack: E Pluribus Contra Unum 635

Technical Details 638

Recurring Thread: Legal—DDoS Crime Does Not Pay 643

Vulnerability: Previously Described Attacks 643

Countermeasures: Preventing Bot Conscription 645

Countermeasures: Handling an Attack Under Way 647

Conclusion: Distributed Denial of Service 648

Exercises 649

Interlude C: Cyber Warfare 652

What Is Cyber Warfare? 653

Examples of Cyber Warfare 654

Critical Issues 656

Chapter 16: ’Twas Brillig, and the Slithy Toves . . . 662

Attack: Grade Inflation 663

Threat: Data Corruption 664

Countermeasure: Codes 667

Countermeasure: Protocols 668

Countermeasure: Procedures 669

Countermeasure: Cryptography 670

Conclusion 673

Exercises 674

Chapter 17: Peering through the Window 676

Attack: Sharing Too Much 677

Attack Details: Characteristics of Peer-to-Peer Networks 677

Threat: Inappropriate Data Disclosure 680

Threat: Introduction of Malicious Software 681

Threat: Exposure to Unauthorized Access 682

Vulnerability: User Failure to Employ Access Controls 683

Vulnerability: Unsafe User Interface 683

Vulnerability: Malicious Downloaded Software 684

Countermeasure: User Education 685

Countermeasure: Secure-by-Default Software 685

Countermeasure: Legal Action 686

Countermeasure: Outbound Firewall or Guard 688

Conclusion 689

Recurring Thread: Legal—Protecting Computer Objects 691

Exercises 704

Chapter 18: My 100,000 Nearest and Dearest Friends 706

Attack: I See U 707

Threat: Loss of Confidentiality 708

Threat: Data Leakage 709

Threat: Introduction of Malicious Code 710

Attack Details: Unintended Disclosure 711

Vulnerability: Exploiting Trust Relationships 721

Vulnerability: Analysis on Data 722

Vulnerability: Hidden Data Attributes 722

Countermeasure: Data Suppression and Modification 724

Countermeasure: User Awareness and Education 729

Countermeasure: Policy 733

Conclusion 734

Exercises 736

Afterword 738

Challenges Facing Us 739

Critical Issues 741

Moving Forward: Suggested Next Steps for Improving Computer Security 742

And Now for Something a Little Different 746

Bibliography 749

Index 773


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020