The much-anticipated revision of Pfleeger's best-selling introduction to security in computing!
° Covers latest network threats–including denial of service, buffer overflow -- explaining the symptom and the cure!
° Adopts a comprehensive approach -- shows the relationships among applications, operating systems, database management systems, and networks in terms of threats and controls
° Covers privacy and ethical issues, often omitted from security books
The classic guide to information securityfully updated for the latest attacks and countermeasures
Security in Computing, Third Edition systematically demonstrates how to control failures of confidentiality, integrity, and availability in applications, databases, operating systems, and networks alike.
This sweeping revision of the field's classic guide to computer security reflects today's entirely new generation of network- and Internet-based threats and vulnerabilities, and offers practical guidance for responding to them.
Exceptionally clear and easy to understand, the book covers not only technical issues, but also law, privacy, ethics, and the physical and administrative aspects of security.
The companion website (http://www.phptr.com/pfleeger/) contains additional information, book updates, and instructor's resources.
This site contains material supplemental to Security in Computing, 3/e, including:
Nova sometimes does interesting one-hour stories on things related to computer security. For example, there was a program called "Secrets, Lies and Atomic Spies," that chronicles the spies in the 1940s and how they operated. There is information about coded messages, examples of ciphers, and so on. You can find out about it at http://www.pbs.org/wgbh/nova/venona . Others are called "Decoding Nazi Secrets," "Secrets of Making Money," and "The KGB, the Computer and Me" (a version of Cliff Stoll's "Stalking the Wily Hacker" -- see http://www.pbs.org/wgbh/nova/listseason/17.html ).
There is a BBC program called Panorama that does hard-hitting documentaries, and some of their programs are available on video. Examples that might interest you are "Cyber Attack" (With the world still reeling from the Lovebug virus, which infected millions of computers, an investigation into the security of personal information on the Internet. Panorama viewer John Chamberlain decided to test the security of the Powergen website after seeing the programme, and exposed flaws in their protection of personal information.) (see http://news.bbc.co.uk/1/hi/programmes/panorama/817114.stm ) and "Attack of the Cyber Pirates".
Security Web Site Links: Authors Picks
There are many security portals with links to numerous web sites related to security. Several good portal sites are:
The SANS (SysAdmin, Audit, Network, Security) Institute provides a reading room with over 1300 articles and references related to information security. (Posted November 25, 2002.) http://rr.sans.org/index.php
SecurityFocus, Inc. provides a library of reviews, articles, and white papers related to computer security. (Posted November 25, 2002.) http://online.securityfocus.com/library
Purdue Universitys Center for Education and Research in Information Assurance and Security (CERIAS) provides a hotlist of links to websites, publications, and events in security. (Posted November 25, 2002.) http://www.cerias.purdue.edu/infosec/hotlist/
The Computer Emergency Response Team Coordinating Center, located at the Software Engineering Institute at Carnegie Mellon University, is a center of Internet security expertise. The centers research involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help improve security at your site. (Posted November 25, 2002.) http://www.cert.org/
The Institute for Electrical and Electronics Engineers (IEEE) Computer Society, Technical Committee on Security and Privacy maintains a good listing of journals and conferences in security. http://www.ieee-security.org/ Its newsletter, Cipher, provides information on past and upcoming workshops and conferences, book reviews, and reports all related to computer security. (Posted November 25, 2002.) http://www.ieee-security.org/cipher.html
We do not intend to try to improve on their work. In this list we will try to give pointers to our favorites, some less well-known sites that we think have interesting information for instructors or students. We have organized the links by chapter just for readability. When something new catches our attention we will update this site, so please check back frequently for new links. And if you have a relatively unknown link that you would like to share, please pass it along.
Tom Dunigan's web page, which has lots of (non-video) resources:
Chapter 1: Is There a Security Problem in Computing?
"Securing the Cloud," an article from The Economist (October 24, 2002) reports that digital security is now everyones concern. According to a popular industry statistic, "most firms spend more on coffee than on computer security." However, as companies increase their security budgets, they will need to hire additional security specialists and better identify threats, both big and small. (Posted November 25, 2002.) http://www.economist.co.uk/surveys/displayStory.cfm?story_id=1389589
Peter Neumann, a principal scientist at the SRI International Computer Science Laboratory, has researched computer systems and networks, security, reliability, survivability, safety, and many risk-related issues such as voting-system integrity, crypto policy, social implications, and human needs including privacy. His website contains several links about risks in using computer systems and related technologies. (Posted November 25, 2002.) http://www.csl.sri.com/users/neumann/neumann.html
The Computer Science and Telecommunications Board (CTSB) of the National Research Council, National Academy of Sciences provides independent advice to the federal government on technical and public policy issues related to computing and communications. CTSBs latest report, Cybersecurity Today and Tomorrow: Pay now or Pay Later, presents a very convincing, and very readable, analysis of the sorry state of cybersecurity today. As the title implies, the question for cybersecurity is not if one will be attacked but when. Defenses today can protect against attacks tomorrow. (Posted November 25, 2002.) http://www7.nationalacademies.org/cstb/pub_cybersecurity.html
Chapter 2: Elementary Cryptography
SSH is a leading developer of Internet-based data security technologies and solutions, especially cryptography products. Its website provides an introduction to cryptography, algorithms, protocols and standards, references, and additional online resources. The website also provides a series of white papers on cryptography, such as securing remote connections and enabling virtual private networks (VPNs). (Posted November 25, 2002.) http://www.ssh.com/support/cryptography/index.html and http://www.ssh.com/support/documentation/white_papers/
Chapter 3: Program Security
Professor Thomas Huckle, of the Institute for Informatics, provides general links on software bugs and glitches and links to specific examples (e.g., Ariane 5 explosion; euro conversion rounding errors). (Posted November 25, 2002.) http://wwwzenger.informatik.tu-muenchen.de/persons/huckle/bugse.html
Bugtoaster is a site that tracks bugs (flaws that cause crashes). Their software can be downloaded and installed onto a computer. If that computer crashes, the software will send a description of the crash to Bugtoaster. When enough crashes occur from a single product, the vendor is notified so the problem can be addressed. The site also provides statistics for the most prevalent problems with applications, operating systems, etc. (Posted November 25, 2002.) http://www.bugtoaster.com/
Chapter 4: Protection in General-Purpose Operating Systems
The Biometric Consortium serves as the U.S. Governments focal point for research, development, test, evaluation, and application of biometric-based personal identification/verification technology. The site provides information about government, industry, and academia biometric-related events, articles and publications. (Posted November 25, 2002.) http://www.biometrics.org/
EyeDentify Europe N.V. is a company that has developed a retinal scanner for identification and access control. Retinal scanning is one method of biometrics, a means of identifying a person by measuring a particular physical or behavioral characteristic that is later compared to a library of characteristics belonging to many people. The site provides information of the technical features of this technology. (Posted November 25, 2002.) http://www.eye-dentify.com/
The BiometriTech newsletter covers the latest news and articles on biometric issues, implementation obstacles and solutions, and successful installations of biometric components and the results they have yielded. The site provides information on finger identification, voice identification/authentication, facial recognition, and smart card technologies. (Posted November 25, 2002.) http://www.biometritech.com/
Chapter 5: Designing Trusted Operating Systems
The United States, Canada and several European countries joined together to develop a set of common criteria for evaluation of IT security that are broadly useful within the international community. The common criteria is available at the following site. (Posted November 25, 2002.) http://www.commoncriteria.org/
The National Information Assurance Partnership (NIAP), sponsored jointly by the National Institute of Standards and Technology and the National Security Agency, represents the United States within the Common Criteria project. The site provides information as to how the common criteria are implemented in the United States. (Posted November 25, 2002.) http://csrc.nist.gov/cc/
Chapter 6: Database Security
The Defense Advanced Research Projects Agency (DARPA) is funding the Total Information Awareness (TIA) program. TIAs goal is " to revolutionize the ability of the United States to detect, classify and identify foreign terrorists and decipher their plans and thereby enable the U.S. to take timely action to successfully preempt and defeat terrorist acts." The site provides information about the programs objectives and a detailed chart of the approach. (Posted November 25, 2002.) http://www.darpa.mil/iao/TIASystems.htm
The National Science Foundation Workshop on Next Generation Data Mining (NGDM'02) brought together data mining researchers and practitioners from diverse backgrounds for exploring the challenges and future research directions in data mining. The workshop focused on data mining for pervasive, distributed, and stream applications; data mining for counter-terrorism; scientific data mining; and the Web, semantics, and data mining. The site provides links to the presentations given at the workshop. (Posted November 25, 2002.) http://www.cs.umbc.edu/NGDM02/
Chapter 7: Security in Networks
Counterpane Internet Security, Inc. is focused on managed security monitoring (MSM). The company monitors networks for suspicious activities, and takes immediate, effective action to keep its clients businesses running smoothly. Under the NEWS heading, descriptions of security alerts and incidents can be found. Under the LIBRARY heading, the Crypto-Gram Newsletter and publications from Counterpane Labs can be found. http://www.counterpane.com/ (Posted November 25, 2002.)
See the SANS, Security Focus, and CERT sites referenced under Chapter 1 above for additional information on network security.
Chapter 8: Administering Security
The Federal Agency Security Practices (FASP) website is based off the success of the Federal CIO Councils Federal Best Security Practices pilot effort to identify, evaluate, and disseminate best practices for computer security. The FASP site contains agency policies, procedures and practices; CIO pilot BSPs; and a Frequently-Asked-Questions section. (Posted November 25, 2002.) http://csrc.nist.gov/fasp/
TechTargets SearchSecurity.com is a security-specific information resource enterprise for IT professionals. The site has been organized into several categories, one of which is Security Management. Articles and reports on topics such as guidelines, best practices, employee issues, outsourcing, etc. can be found. (Posted November 25, 2002.) http://searchsecurity.techtarget.com/
The SANS (SysAdmin, Audit, Network, Security) Institute provides a security policy resource page that provides information on how to write information security policies, including examples and templates. (Posted November 25, 2002.) http://www.sans.org/newlook/resources/policies/policies.htm
Chapter 9: Legal, Privacy, and Ethical Issues in Computer Security
The Electronic Privacy Information Center is a public interest research center established to focus public attention on emerging civil liberties and to protect privacy. The site provides links to articles and reports on computer security, cryptography policy, free speech, the Freedom of Information Act, and privacy. (Posted November 25, 2002.) http://www.epic.org
Computer Professionals for Social Responsibility (CPSR) is an organization that provides the public and policymakers with realistic assessments of the power, promise, and problems of information technology. The site provides links to articles and publications to direct public attention to critical choices concerning the applications of information technology and how those choices affect society. (Posted November 25, 2002.) http://www.cpsr.org/
The site provides a compilation of laws from around the world related to unsolicited bulk and commercial e-mail ("spam"), provided solely for educational and informational purposes. (Posted November 25, 2002.) http://www.spamlaws.com/
Lisa Takeuchi Cullens article "Some More Spam, Please," in Time (November 3, 2002) describes how spam both unwanted and wanted (email from merchants that have been given permission to contact the consumer) is on the rise. The next targets of spam appear to be cell phones and pagers, although several states are fighting against it. (Posted November 25, 2002.) http://www.time.com/time/business/article/0,8599,386956,00.html
Chapter 10: Cryptography Explained
See sites in Chapter 2: Elementary Cryptography above.
If you are a student interested in learning more about computer security programs located at colleges and universities in the United States, please see the following link.
The National Security Agency has designated 36 universities as Centers of Academic Excellence in Information Assurance Education. The designations were granted following a rigorous review of university applications against published criteria based on training standards established by the National Security Telecommunications and Information Systems Security Committee. The list and links to these university centers can be found at:
Below you will find abstracts of reports and articles, with links to the full text, concerned with computer security issues.
U.S. Government Issues New Computer Security Scorecard
The U.S. House of Representatives Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations has released its report on the computer security of government agencies. The show many agencies and departments receiving a failing grade (See Sidebar 1-6 for previous results). The subcommittee began grading federal agencies after Congress passed the Government Information Security Reform Act of 2000, requiring federal agencies to establish agencywide computer security programs that protect the systems that support their missions.
The 2002 scores are posted here.
The full report, Making Federal Computers Secure: Overseeing Effective Information Security Management, is available at
Hand-Held Organizers: Not Just for Law-Abiding Citizens Anymore
These days, law-abiding citizens and criminals alike are using hand-held organizers to coordinate their daily activities. The New York Times reported that in San Jose, California, police broke up an identity-theft crime ring in October 2002. Using search warrants, police seized and examined the hand-helds of the suspects, which contained the names of more than 20 victims along with their personal information and e-mail confirmations of transfers from victims bank accounts. This is just one example of how data from hand-helds has been used to prosecute criminals, and to better understand how and with whom they operate.
The full story, "A Palmtop for the Prosecution," by Jennifer Lee (October 24, 2002) can be viewed at:
http://www.nytimes.com/2002/10/24/technology/circuits/24palm.html (Registration required.)
Sidebar Public Access to Microsoft and Customer Information
On November 19, 2002, Microsoft took a public file server offline after Internet users discovered that the system contained scores of internal Microsoft documents, including a huge customer database with millions of entries. Normally, the file transfer protocol server enables Microsoft customers to upload or download files to and from the Product Support team. However, an ineffective security policy, allowed the public to have full access to folders containing confidential company and customer information.
The full story, "Microsoft Spills Customer Data," by Brian McWilliams (November 20, 2002) can be viewed at:
Sidebar Hacking Made Easier in Complex Networks
The FCC chartered the Network Reliability and Interoperability Council to recommend ways for companies to stop cyberattacks after 9/11. Bill Hancock, chair of the council, stated that "Over time, we're getting very sophisticated attacks from morons," implying that hackers don't need to be highly skilled to cause trouble. The Council made its initial recommendations based on existing industry best practices, which many companies don't often follow. The complexity of today's networks has created new threats and vulnerabilities not present in simple networks used just a decade ago. The full story, "Complex Networks Too Easy to Hack," by Michael Grebb (December 9, 2002) can be viewed at:
Sidebar Increasing Risk for Internet Collapse?
Tony Grubesic, assistant professor of geography at the University of Cincinnati, led a group of scientists from Ohio State University in carrying out simulated attacks on key internet hubs to show how vulnerable the worldwide network is to disruption, disaster, or terrorism. The scientists warned that the network would unravel itself if the major nodes of the internet were destroyed, with suburbs and rural areas gradually cut off from the internet. Grubesic compared the internet to the air transportation system. A delay or disruption at OHare will cause a ripple effect across all other airports with which it is linked. The same would occur in the cities considered to be the major nodes of the internet. The researchers' work will appear in the February 2003 edition of Telematics and Informatics.
The full story, "Risk of Internet Collapse Rising," (November 26, 2002) can be viewed at:
Sidebar Cyberterrorism Predictions for 2003
IDC, a technology research firm, has laid out its 2003 predictions for information technology and cyber security. The first was "A major cyberterrorism event will disrupt the economy and bring the Internet to its knees for a day or two," an increasing threat for the U.S. because of the potential war with Iraq. IDC makes its predictions by polling more than 700 analysts. Last year, seven of its 10 predictions were correct. Predictions are included for several areas including wireless, telecommunications, and digital imaging.
The full story, "IDC: Cyberterror and Other Prophecies," by Ed Frauenheim (December 12, 2002) can be viewed at:
Sidebar New Way to Stop Computer Virus Epidemics
In 2001, the Code Red virus infected 350,000 computers in 14 hours. Matthew Williamson, researcher at the Hewlett-Packard laboratories in Bristol, England, has developed a new approach to slow the spread of computer viruses so that "engineers can finish their pizzas and get to the scene of the crime." He explained that once a virus infects a computer, it will try to connect to other computers as fast as possible to spread the virus further. Uninfected machines do not make the connections at this speed, so Williamsons idea is to "limit the rate at which a computer can connect to other computers" by use of a throttle, which alerts people to an attack.
The full story, "Throttled at Birth," (November 21, 2002) can be viewed at:
Download the Sample
Chapter related to this title.
Preface to the Third Edition.
1. Is There a Security Problem in Computing?
What Does “Secure” Mean? Attacks. The Meaning of Computer Security. Computer Criminals. Methods of Defense. What's Next. Summary. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Terminology and Background. Substitution Ciphers. Transposition (Permutations). Making “Good” Encryption Algorithms. The Data Encryption Standard (DES). The AES Encryption Algorithm. Public Key Encryption. The Uses of Encryption. Summary of Encryption. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Secure Programs. Nonmalicious Program Errors. Viruses and Other Malicious Code. Targeted Malicious Code. Controls Against Program Threats. Summary of Program Threats and Controls. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Protected Objects and Methods of Protection. Memory and Address Protection. Control of Access to General Objects. File Protection Mechanisms. User Authentication. Summary of Security for Users. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
What Is a Trusted System? Security Policies. Models of Security. Trusted Operating System Design. Assurance in Trusted Operating Systems. Implementation Examples. Summary of Security in Operating Systems. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Introduction to Databases. Security Requirements. Reliability and Integrity. Sensitive Data. Inference. Multilevel Databases. Proposals for Multilevel Security. Summary of Database Security. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Network Concepts. Threats in Networks. Network Security Controls. Firewalls. Intrusion Detection Systems. Secure E-Mail. Summary of Network Security. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Security Planning. Risk Analysis. Organizational Security Policies. Physical Security. Summary. Terms and Concepts. To Learn More. Exercises.
Protecting Programs and Data. Information and the Law. Rights of Employees and Employers. Software Failures. Computer Crime. Privacy. Ethical Issues in Computer Security. Case Studies of Ethics. Case I: Use of Computer Services. Case II: Privacy Rights. Case III: Denial of Service. Case IV: Ownership of Programs. Case V: Proprietary Resources. Case VI: Fraud. Case VII: Accuracy of Information. Case VIII: Ethics of Hacking or Cracking. Codes of Ethics. Conclusion of Computer Ethics. Terms and Concepts. To Learn More. Exercises.
Mathematics for Cryptography. Symmetric Encryption. Public Key Encryption Systems. Quantum Cryptography. Summary of Encryption. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Every day, the news media give more and more visibility to the effects of computer security on our daily lives. For example, on a single day in June 2002, the Washington Post included three important articles about security. On the front page, one article described the possibility that a terrorist group was plotting to—and actually could—invade computer systems and destroy huge dams, disable the power grid, or wreak havoc with the air traffic control system. A second article, also on the front page, considered the potential loss of personal privacy as governments and commercial establishments begin to combine and correlate data in computer-maintained databases. Further back, a third article discussed yet another software flaw that could have widespread effect. Thus, computer security is no longer relegated to esoteric discussions of what might happen; it is instead a hot news topic, prominently featured in newspapers, magazines, radio talk shows, and documentary television programs. The audience is no longer just the technical community; it is ordinary people, who feel the effects of pervasive computing.
In just a few years the world's public has learned the terms "virus," "worm," and "Trojan horse" and now appreciates the concepts of "unauthorized access," "sabotage," and "denial of service." During this same time, the number of computer users has increased dramatically; with those new users have come new uses: electronic stock trading, sharing of medical records, and remote control of sensitive equipment, to name just three. It should be no surprise that threats to security in computing have increased along with the users and uses.
Are your data or programs at risk? If you answer "yes" to any of the following questions, you have a potential security risk.
Almost every computer user today meets at least one of these conditions, and so you, and almost every other computer user, are at risk of some harmful computer security event. Risk does not mean you should stop using computers. You are at risk of being hit by a falling meteorite or of being robbed by a thief on the street, but you do not hide in a fortified underground bunker all day. You learn what puts you at risk and how to control it. Controlling a risk is not the same as eliminating it; you simply want to bring it to a tolerable level.
How do you control the risk of computer security?
This book is intended for the study of computer security. Many of you want to study this topic: college and university students, computing professionals, managers, and users of all kinds of computer-based systems. All want to know the same thing: how to control the risk of computer security. But you may differ in how much information you need about particular topics: Some want a broad survey, whereas others want to focus on particular topics, such as networks or program development.
This book should provide the breadth and depth that most readers want. The book is organized by general area of computing, so that readers with particular interests can find information easily. The chapters of this book progress in an orderly manner, from general security concerns to the particular needs of specialized applications, and finally to overarching management and legal issues. Thus, the book covers five key areas of interest:
These areas are not equal in size; for example, more than half the book is devoted to code because so much of the risk is at least partly caused by program code that executes on computers.
The first chapter introduces the concepts and basic vocabulary of computer security. The second chapter provides an understanding of what encryption is and how it can be used or misused. Just as a driver's manual does not address how to design or build a car, Chapter 2 is for users of encryption, not designers of new encryption schemes. Chapters 3 through 7 cover successively larger pieces of software: individual programs, operating systems, complex applications like database management systems, and finally networks, which are distributed complex systems. Chapter 8 discusses managing and administering security, and finding an acceptable balance between threats and controls. Chapter 9 covers the way society at large addresses computer security, through its laws and ethical systems and through its concern for privacy. Finally, Chapter 10 returns to cryptography, this time to look at the details of the encryption algorithms themselves.
Within that organization, you can move about, picking and choosing topics of particular interest. Everyone should read Chapter 1 to build a vocabulary and a foundation. It is wise to read Chapter 2 because cryptography appears in so many different control techniques. Although there is a general progression from small programs to large and complex networks, you can in fact read Chapters 3 through 7 out of sequence or pick topics of greatest interest. Chapters 8 and 9 may be just right for the professional looking for nontechnical controls to complement the technical ones of the earlier chapters. These chapters may also be important for the computer science student who wants to look beyond a narrow view of bytes and protocols. Chapter 10 is for people who want to understand some of the underlying mathematics and logic of cryptography.
What background should you have to appreciate this book? The only assumption is an understanding of programming and computer systems. Someone who is an advanced undergraduate or graduate student in computer science certainly has that background, as does a professional designer or developer of computer systems. A user who wants to understand more about how programs work can learn from this book, too; we provide the necessary background on concepts of operating systems or networks, for example, before we address the related security concerns.
This book can be used as a textbook in a one- or two-semester course in computer security. The book functions equally well as a reference for a computer professional or as a supplement to an intensive training course. And the index and extensive bibliography make it useful as a handbook to explain significant topics and point to key articles in the literature. The book has been used in classes throughout the world; instructors often design one-semester courses that focus on topics of particular interest to students or that relate well to the rest of a curriculum.
In addition to these major changes, there are numerous small corrective and clarifying ones, ranging from wording changes to subtle notational changes for pedagogic reasons to replacement, deletion, rearrangement, and expansion of sections.