Register your product to gain access to bonus material or receive a coupon.
"Avi Rubin does a great job of explaining the motivations behind many security solutions, as well as providing practical information about how you can solve real-world problems. White-Hat Security Arsenal is an invaluable resource--a judicious mix of practical information and the theory behind it."
--Marcus J. Ranum, CTO, NFR Security, Inc."White-Hat Security Arsenal ups the ante for the good guys in the arms race against computer-based crime. Like a barrage of cruise missiles, Avi's excellent book attains air superiority by leveraging smarts and advanced GPS technology to zero in on critical targets. Intended to educate and inform information security professionals with a no-nonsense, hold-the-hype approach to security, this book is a critical weapon for modern information warriors. If you wear a white hat and are on the good guys' team, buy this book. Don't go into battle without it!"
--Gary McGraw, Ph.D., CTO, CigitalHow do I allow secure remote access to my site? How do I protect data on my laptop in case it's stolen? How should I configure my firewall? Will I regret using my credit card online? How will the bad guys attack? If these are some of the questions that keep you awake at night, you need to read this book.
As a computer security expert at AT&T Labs, author Avi Rubin regularly meets with IT staffs from all types of companies. When asked to recommend resource material to his customers, Rubin realized that there just wasn't a book on the market that would give them concise, direct answers to all their security questions. So he wrote one.
Using a problem-oriented approach, Rubin walks you through everything from protecting against network threats to using credit cards on the Web. Each chapter begins with a problem statement, continues with a description of the threat, explains the technologies involved, and then offers solutions. Chapters conclude with one or more case studies.
You'll find easy-to-understand information that will help youWhether you are an IT professional, a system administrator, an academic, or simply a regular Internet user, White-Hat Security Arsenal is full of information you can't afford to miss.
Interview with Security Expert Avi Rubin
Protecting Web Sites by Guarding the Exits
Risks of the Passport Single Signon Protocol
Security Considerations for Remote Electronic Voting over the Internet
The Computer Security Bookshelf, Part 2
Click below for Author's Site related to this title:
Author's Web Site
Secure Backup: Protecting Your Data
Click below for Sample Chapter related to this title:
rubinch6.pdf
Foreword.
Preface.
I: IS THERE REALLY A THREAT?
1. Shrouded in Secrecy.What Is at Risk.
Data, Time, and Money.
Confidentiality.
Privacy.
Resource Availability.
Why Risks Exist.
Buggy Code.
The User.
Poor Administration.
Exploiting Risks.
Moving On.
3. The Morris Worm Meets the Love Bug: Computer Viruses and Worms.Terminology.
A Touch of History.
The Morris Worm.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Melissa.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
CIH Chernobyl.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Happy.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Worm.ExploreZip.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Bubbleboy.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Babylonia.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
The Love Bug.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Summary.
II: STORING DATA SECURELY.
4. Local Storage.Physical Security.
Cryptographic Security.
What Can Be Achieved with Cryptography.
Cryptography Is Not Enough.
Basic Encryption and Data Integrity.
Protecting Data with Passwords.
Graphical Passwords.
Cryptographic File Systems.
Case Studies.
CFS.
PGPDisk.
EFS in Windows 2000.
Further Reading.
5. Remote Storage.Remote Storage.
NFS Security.
Adding Security.
User Authentication.
Strengthening Passwords.
Access Control Lists and Capabilities.
AFS.
Case Study.
Pathnames.
Further Reading.
6. Secure Backup.Secure Backups.
Physical Security.
Backup over a Network.
Key Granularity.
Backup Products.
@backup.
BitSTOR.
Secure Backup Systems.
BackJack.
Datalock.
NetMass SystemSafe.
Saf-T-Net.
Safeguard Interactive.
Veritas Telebackup.
Deleting Backups.
Case Study.
The Client Software.
Incremental Backups.
Further Reading.
III: SECURE DATA TRANSFER.
7. Setting up a Long-Term Association.What Is Identity?
Identity in Cyberspace.
Exchanging Public Keys in Person.
Certification Authorities.
Public Key Certificates.
Certificate Hierarchies.
Long-Term Relationships within an Organization.
Global Trust Register.
Revocation.
Long-Term Relationships in the Wild.
Managing Private Keys.
Symmetric Keys.
Case Study.
Summary.
Further Reading.
8. Deriving Session Keys.Long-Term Keys Are Not Enough.
What Are Session Keys?
Key Exposure.
Perfect Forward Secrecy.
Security Associations.
Picking a Random Key.
Session Keys from Symmetric Long-Term Keys.
Kerberos.
Another Approach.
Session Keys from Long-Term Public Keys.
Diffie-Hellman Key Exchange.
Session Keys in SSL.
Protocol Design and Analysis.
Case Study.
Clogging Attacks.
ISAKMP Exchanges.
Key Refreshment.
Primes in OAKLEY.
Further Reading.
9. Communicating Securely After Key Setup.Protecting Information.
Encryption.
Authentication.
Which Layer Is Best for Security?
Encapsulation.
The Link Layer.
The Network Layer.
The Transport Layer.
The Application Layer.
Replay Prevention.
Case Study.
ESP.
AH.
Further Reading.
IV: PROTECTING AGAINST NETWORK THREATS.
10. Protecting a Network Perimeter.Insiders and Outsiders.
Network Perimeter.
Benefits of Firewalls.
Types of Firewalls.
Packet Filters.
Application-Level Gateways.
Using the Firewall.
Configuring Rules.
Web Server Placement.
Exit Control.
Remote Access8.
Logging in Directly.
Dial-up Access.
VPN Access.
Web-Only Access.
Case Study.
Further Reading.
11. Defending against Attacks.Bad Guys.
Mapping.
Attacks.
Denial of Service.
Defense.
Defending against Mapping.
Monitoring the Traffic.
Intrusion Detection.
Defense against DDOS.
Other Tools.
Case Study.
Further Reading.
V: COMMERCE AND PRIVACY.
12. Protecting E-Commerce Transactions.Credit Cards on the Web.
The SSL Protocol.
Protocol Overview.
Configuring a Browser.
Configuring a Server.
Security.
Performance.
Caching.
Case Study.
How Passport Works.
Risks of Passport.
Further Reading.
13. Protecting Privacy.Online Privacy.
What Is at Risk?
E-Mail Privacy.
Protecting E-Mail with Cryptography.
Anonymous E-Mail.
How Is Personal Privacy Compromised?
Direct Methods.
Indirect Methods.
Defense Mechanisms and Countermeasures.
Protecting Data on Your Machine.
Protecting Credit Card Information.
Safeguarding Your Browsing History.
Hiding Your Surfing.
Posting Anonymously to the Web.
Case Study.
Summary.
Further Reading.
Glossary.As a computer security expert at AT&T Labs, I often find myself meeting with members of IT departments of our large customers. This year, for example, I've met with, among others, the CIO of Ford Motor Company, the CTO of JP Morgan, and a Vice President of American Axle Manufacturing. In each case, they bring along an entourage of system administrators and other members of their team, and they come loaded with problems. How do I allow secure remote access to my site? How should I configure my firewall? How do employees store information securely on laptops? The list of questions goes on and on. I listen to them and offer my advice and expertise.
The customers always ask me what book I recommend to solve all of their problems. There are some good books on security out there. However, they are written from a disciplinary approach. There is usually a chapter on cryptography, a chapter on protocols, a chapter on SSL, and so on. So, I set out to write a book that directly answers the questions that these large IT departments face.
What sets this book apart from others is the problem-oriented approach. Each chapter starts out with a problem statement using Alice and sometimes Bob, borrowing these characters from the cryptography literature.
The book is divided into five parts. Each part is written to be self-contained, so there is some redundancy of information across parts. Within each part (except the first), there are chapters, each of which represents a problem. Within the chapter is a description of the threat model, explanations of the technologies involved, and some solutions. The chapters conclude with one or more case studies. The idea is to give the readers enough information to understand the problem in detail, to have the ability to evaluate solutions, and even to be able to solve the problem themselves.
The Surfer/End User Surfers or "end users" are those who surf the Web, read e-mail, and use computers in their everyday lives. They don't necessarily have any formal computer science training, but they are proficient in day-to-day uses of computers. For example, they know how to install software and how to change the settings in their browsers.
The IT Professional Information technology professionals are those who are quite knowledgeable about computers. They may be in charge of a large network deployment, programmers, system architects, or even managers. It is safe to assume that these people have a computer science or CIS degree, and that they have been working with computers for some time.
The Academic Academic are usually either professors or graduate students. Academics are usually interested in the technical details and the theory behind a solution, as much as in the solution itself. Academics are likely to consult other references to further understand the material, and the gory details are welcome, rather than feared.
The System Administrator System administrators are those who are often responsible for the security of a site. They are usually the ones putting out fires, and their jobs may be on the line if information is lost, or if a major break-in occurs. These people are interested in making sure that their systems are safe, and while they would normally love to study and understand the theory behind the solutions, there is no time for that. What they really want is to figure out exactly how to solve the problem that is pressing at the moment.
Each chapter in this book presents the solution to a problem that is important to some subset of these characters. While you may or may not fit exactly into one of these descriptions, I hope that the icons at the beginnings of the chapters will give you a good idea of what level of detail and complexity to expect when you read it.
There are five parts to the book:
Part I The first part is intended to motivate the rest of the book. No problems are identified here; rather, I address the issue of threat and why people need to worry about solving computer security problems.
Part II The second part deals with secure storage of information. The following problems are addressed:
Part III The third part is the most technical in the book. It deals with transferring information securely on vulnerable networks. The following problems are addressed:
Part IV The fourth part of this book has to do with protecting against network threats. This includes setting up firewalls, detecting intrusions, and dealing with denial-of-service attacks. The following problems are addressed:
Part V The fifth and final part of the book deals with online commerce and privacy. The part covers issues such as using credit cards on the Web and the privacy of Web browsing. The following problems are addressed:
There are several ways to read this book. If you are reading it because you have some of the problems mentioned here, then the best thing to do is to jump to the chapter that addresses your problem and read it. If it is in the middle of a part, you may find that some of the material in the earlier chapters is needed, so I recommend that you find the part that contains your problem and read that whole part.
If you are interested in learning about all of the problems, or security in general, then read the book from start to finish. There is no dependence on order in the parts, so you can read them in whatever order you like, but it is best to read the chapters within a part in the order they appear.
At the end of each chapter there is a listing of all of the references that are cited within the text. The books, articles, and Web sites are listed in the order that they appear. I have done my best to reference only Web sites that I expect to be around for a while, and I have tested all of them several times since I wrote each section, but of course, the Web is dynamic, so there are no guarantees. I maintain a Web site with all of the links in the book, and I keep it as up to date as possible. The URL is http://white-hat.org/. Please let me know if you find a broken link there. At the end of the book is the full bibliography listed by the numbers that are used for citation within the text.
There is a glossary of acronyms used throughout the book, so if you come across a term you do not understand, it may help to check there.
Avi Rubin