Register your product to gain access to bonus material or receive a coupon.
Security in Computing, 3rd Edition
- By Charles P. Pfleeger, Shari Lawrence Pfleeger
- Published Dec 2, 2002 by Pearson.
Book
- Sorry, this book is no longer in print.
About
Features
The much-anticipated revision of Pfleeger's best-selling introduction to security in computing!
° Covers latest network threats–including denial of service, buffer overflow -- explaining the symptom and the cure!
° Adopts a comprehensive approach -- shows the relationships among applications, operating systems, database management systems, and networks in terms of threats and controls
° Covers privacy and ethical issues, often omitted from security books
Description
- Copyright 2003
- Edition: 3rd
- Book
- ISBN-10: 0-13-035548-8
- ISBN-13: 978-0-13-035548-5
The classic guide to information security—fully updated for the latest attacks and countermeasures
Security in Computing, Third Edition systematically demonstrates how to control failures of confidentiality, integrity, and availability in applications, databases, operating systems, and networks alike.
This sweeping revision of the field's classic guide to computer security reflects today's entirely new generation of network- and Internet-based threats and vulnerabilities, and offers practical guidance for responding to them.
- Updated to cover wireless security, intrusion detection, AES, DRM, biometrics, honeypots, online privacy, and more
- Security in Internet-based, distributed, desktop and traditional centralized applications
- New attacks, including scripted vulnerability probing, denial of service, and buffer overflows—with symptoms and cures
- Clear, accessible introduction to cryptography—without sophisticated math
- Up-to-the-minute explanations of digital signatures, certificates, and leading-edge quantum cryptography
- Thoroughly revamped coverage of software engineering practices designed to enhance program security
- Expanded coverage of risk management, contingency planning, and security policies
- Detailed presentation of protection in general-purpose and trusted operating systems
- Extensive pedagogical resources: end-of-chapter reviews and exercises, lists of key terms, and authoritative references
Exceptionally clear and easy to understand, the book covers not only technical issues, but also law, privacy, ethics, and the physical and administrative aspects of security.
The companion website (http://www.phptr.com/pfleeger/) contains additional information, book updates, and instructor's resources.
Downloads
Supplements
This site contains material supplemental to Security in Computing, 3/e, including:
- PowerPoint slides of the text illustrations.
- Links to related videos.
- Links to security-related Web sites picked by the authors.
- Updated sidebars abstracting computer security reports and articles, with links to the full text.
- Sample syllabi for using the book in college-level courses.
- Instructor's Manual - Professors, please contact your local Prentice Hall Sales Representative.
For further information about the authors, you may wish to visit Shari Lawrence Pfleeger's Web site or Charles Pfleeger's Web Site.
Related Videos
Nova sometimes does interesting one-hour stories on things related to computer security. For example, there was a program called "Secrets, Lies and Atomic Spies," that chronicles the spies in the 1940s and how they operated. There is information about coded messages, examples of ciphers, and so on. You can find out about it at http://www.pbs.org/wgbh/nova/venona . Others are called "Decoding Nazi Secrets," "Secrets of Making Money," and "The KGB, the Computer and Me" (a version of Cliff Stoll's "Stalking the Wily Hacker" -- see http://www.pbs.org/wgbh/nova/listseason/17.html ).
There is a BBC program called Panorama that does hard-hitting documentaries, and some of their programs are available on video. Examples that might interest you are "Cyber Attack" (With the world still reeling from the Lovebug virus, which infected millions of computers, an investigation into the security of personal information on the Internet. Panorama viewer John Chamberlain decided to test the security of the Powergen website after seeing the programme, and exposed flaws in their protection of personal information.) (see http://news.bbc.co.uk/1/hi/programmes/panorama/817114.stm ) and "Attack of the Cyber Pirates".
Security Web Site Links: Authors’ Picks
There are many security portals with links to numerous web sites related to security. Several good portal sites are:
The SANS (SysAdmin, Audit, Network, Security) Institute provides a reading room with over 1300 articles and references related to information security. (Posted November 25, 2002.) http://rr.sans.org/index.php
SecurityFocus, Inc. provides a library of reviews, articles, and white papers related to computer security. (Posted November 25, 2002.) http://online.securityfocus.com/library
Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS) provides a hotlist of links to websites, publications, and events in security. (Posted November 25, 2002.) http://www.cerias.purdue.edu/infosec/hotlist/
The Computer Emergency Response Team Coordinating Center, located at the Software Engineering Institute at Carnegie Mellon University, is a center of Internet security expertise. The center’s research involves handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training to help improve security at your site. (Posted November 25, 2002.) http://www.cert.org/
The Institute for Electrical and Electronics Engineers (IEEE) Computer Society, Technical Committee on Security and Privacy maintains a good listing of journals and conferences in security. http://www.ieee-security.org/ Its newsletter, Cipher, provides information on past and upcoming workshops and conferences, book reviews, and reports all related to computer security. (Posted November 25, 2002.) http://www.ieee-security.org/cipher.html
We do not intend to try to improve on their work. In this list we will try to give pointers to our favorites, some less well-known sites that we think have interesting information for instructors or students. We have organized the links by chapter just for readability. When something new catches our attention we will update this site, so please check back frequently for new links. And if you have a relatively unknown link that you would like to share, please pass it along.
Tom Dunigan's web page, which has lots of (non-video) resources:
http://www.csm.ornl.gov/~dunigan/security
Chapter 1: Is There a Security Problem in Computing?
"Securing the Cloud," an article from The Economist (October 24, 2002)
reports that digital security is now everyone’s concern. According to a
popular industry statistic, "most firms spend more on coffee than on computer
security." However, as companies increase their security budgets, they
will need to hire additional security specialists and better identify threats,
both big and small. (Posted November 25, 2002.) http://www.economist.co.uk/surveys/displayStory.cfm?story_id=1389589
Peter Neumann, a principal scientist at the SRI International Computer Science Laboratory, has researched computer systems and networks, security, reliability, survivability, safety, and many risk-related issues such as voting-system integrity, crypto policy, social implications, and human needs including privacy. His website contains several links about risks in using computer systems and related technologies. (Posted November 25, 2002.) http://www.csl.sri.com/users/neumann/neumann.html
The Computer Science and Telecommunications Board (CTSB) of the National Research Council, National Academy of Sciences provides independent advice to the federal government on technical and public policy issues related to computing and communications. CTSB’s latest report, Cybersecurity Today and Tomorrow: Pay now or Pay Later, presents a very convincing, and very readable, analysis of the sorry state of cybersecurity today. As the title implies, the question for cybersecurity is not if one will be attacked but when. Defenses today can protect against attacks tomorrow. (Posted November 25, 2002.) http://www7.nationalacademies.org/cstb/pub_cybersecurity.html
Chapter 2: Elementary Cryptography
SSH is a leading developer of Internet-based data security technologies and
solutions, especially cryptography products. Its website provides an introduction
to cryptography, algorithms, protocols and standards, references, and additional
online resources. The website also provides a series of white papers on cryptography,
such as securing remote connections and enabling virtual private networks (VPNs).
(Posted November 25, 2002.) http://www.ssh.com/support/cryptography/index.html
and http://www.ssh.com/support/documentation/white_papers/
Chapter 3: Program Security
Professor Thomas Huckle, of the Institute for Informatics, provides general
links on software bugs and glitches and links to specific examples (e.g., Ariane
5 explosion; euro conversion rounding errors). (Posted November 25, 2002.) http://wwwzenger.informatik.tu-muenchen.de/persons/huckle/bugse.html
Bugtoaster is a site that tracks bugs (flaws that cause crashes). Their software can be downloaded and installed onto a computer. If that computer crashes, the software will send a description of the crash to Bugtoaster. When enough crashes occur from a single product, the vendor is notified so the problem can be addressed. The site also provides statistics for the most prevalent problems with applications, operating systems, etc. (Posted November 25, 2002.) http://www.bugtoaster.com/
Chapter 4: Protection in General-Purpose Operating Systems
The Biometric Consortium serves as the U.S. Government’s focal point for
research, development, test, evaluation, and application of biometric-based
personal identification/verification technology. The site provides information
about government, industry, and academia biometric-related events, articles
and publications. (Posted November 25, 2002.) http://www.biometrics.org/
EyeDentify Europe N.V. is a company that has developed a retinal scanner for identification and access control. Retinal scanning is one method of biometrics, a means of identifying a person by measuring a particular physical or behavioral characteristic that is later compared to a library of characteristics belonging to many people. The site provides information of the technical features of this technology. (Posted November 25, 2002.) http://www.eye-dentify.com/
The BiometriTech newsletter covers the latest news and articles on biometric issues, implementation obstacles and solutions, and successful installations of biometric components and the results they have yielded. The site provides information on finger identification, voice identification/authentication, facial recognition, and smart card technologies. (Posted November 25, 2002.) http://www.biometritech.com/
Chapter 5: Designing Trusted Operating Systems
The United States, Canada and several European countries joined together to
develop a set of common criteria for evaluation of IT security that are broadly
useful within the international community. The common criteria is available
at the following site. (Posted November 25, 2002.) http://www.commoncriteria.org/
The National Information Assurance Partnership (NIAP), sponsored jointly by the National Institute of Standards and Technology and the National Security Agency, represents the United States within the Common Criteria project. The site provides information as to how the common criteria are implemented in the United States. (Posted November 25, 2002.) http://csrc.nist.gov/cc/
Chapter 6: Database Security
The Defense Advanced Research Projects Agency (DARPA) is funding the Total Information
Awareness (TIA) program. TIA’s goal is " to revolutionize the ability
of the United States to detect, classify and identify foreign terrorists —
and decipher their plans — and thereby enable the U.S. to take timely action
to successfully preempt and defeat terrorist acts." The site provides information
about the program’s objectives and a detailed chart of the approach. (Posted
November 25, 2002.) http://www.darpa.mil/iao/TIASystems.htm
The National Science Foundation Workshop on Next Generation Data Mining (NGDM'02) brought together data mining researchers and practitioners from diverse backgrounds for exploring the challenges and future research directions in data mining. The workshop focused on data mining for pervasive, distributed, and stream applications; data mining for counter-terrorism; scientific data mining; and the Web, semantics, and data mining. The site provides links to the presentations given at the workshop. (Posted November 25, 2002.) http://www.cs.umbc.edu/NGDM02/
Chapter 7: Security in Networks
Counterpane Internet Security, Inc. is focused on managed security monitoring
(MSM). The company monitors networks for suspicious activities, and takes immediate,
effective action to keep its clients’ businesses running smoothly. Under
the NEWS heading, descriptions of security alerts and incidents can be found.
Under the LIBRARY heading, the Crypto-Gram Newsletter and publications from
Counterpane Labs can be found. http://www.counterpane.com/
(Posted November 25, 2002.)
See the SANS, Security Focus, and CERT sites referenced under Chapter 1 above for additional information on network security.
Chapter 8: Administering Security
The Federal Agency Security Practices (FASP) website is based off the success
of the Federal CIO Council’s Federal Best Security Practices pilot effort
to identify, evaluate, and disseminate best practices for computer security.
The FASP site contains agency policies, procedures and practices; CIO pilot
BSPs; and a Frequently-Asked-Questions section. (Posted November 25, 2002.)
http://csrc.nist.gov/fasp/
TechTarget’s SearchSecurity.com is a security-specific information resource enterprise for IT professionals. The site has been organized into several categories, one of which is Security Management. Articles and reports on topics such as guidelines, best practices, employee issues, outsourcing, etc. can be found. (Posted November 25, 2002.) http://searchsecurity.techtarget.com/
The SANS (SysAdmin, Audit, Network, Security) Institute provides a security policy resource page that provides information on how to write information security policies, including examples and templates. (Posted November 25, 2002.) http://www.sans.org/newlook/resources/policies/policies.htm
Chapter 9: Legal, Privacy, and Ethical Issues in Computer Security
The Electronic Privacy Information Center is a public interest research center
established to focus public attention on emerging civil liberties and to protect
privacy. The site provides links to articles and reports on computer security,
cryptography policy, free speech, the Freedom of Information Act, and privacy.
(Posted November 25, 2002.) http://www.epic.org
Computer Professionals for Social Responsibility (CPSR) is an organization that provides the public and policymakers with realistic assessments of the power, promise, and problems of information technology. The site provides links to articles and publications to direct public attention to critical choices concerning the applications of information technology and how those choices affect society. (Posted November 25, 2002.) http://www.cpsr.org/
The site provides a compilation of laws from around the world related to unsolicited bulk and commercial e-mail ("spam"), provided solely for educational and informational purposes. (Posted November 25, 2002.) http://www.spamlaws.com/
Lisa Takeuchi Cullen’s article "Some More Spam, Please," in Time (November 3, 2002) describes how spam both unwanted and wanted (email from merchants that have been given permission to contact the consumer) is on the rise. The next targets of spam appear to be cell phones and pagers, although several states are fighting against it. (Posted November 25, 2002.) http://www.time.com/time/business/article/0,8599,386956,00.html
Chapter 10: Cryptography Explained
See sites in Chapter 2: Elementary Cryptography above.
Additional Information
If you are a student interested in learning more about computer security programs
located at colleges and universities in the United States, please see the following
link.
The National Security Agency has designated 36 universities as Centers of Academic Excellence in Information Assurance Education. The designations were granted following a rigorous review of university applications against published criteria based on training standards established by the National Security Telecommunications and Information Systems Security Committee. The list and links to these university centers can be found at:
http://www.nsa.gov/isso/programs/nietp/newspg1.htm
Sidebars
Below you will find abstracts of reports and articles, with links to the full text, concerned with computer security issues.
Chapter 1
U.S. Government Issues New Computer Security Scorecard
The U.S. House of Representatives Subcommittee on Government Efficiency, Financial
Management, and Intergovernmental Relations has released its report on the computer
security of government agencies. The show many agencies and departments receiving
a failing grade (See Sidebar 1-6 for previous results). The subcommittee began
grading federal agencies after Congress passed the Government Information Security
Reform Act of 2000, requiring federal agencies to establish agencywide computer
security programs that protect the systems that support their missions.
The 2002 scores are posted here.
The full report, Making Federal Computers Secure: Overseeing Effective Information Security Management, is available at
http://www.house.gov/reform/gefmir/reports/computer_security.pdf
Hand-Held Organizers: Not Just for Law-Abiding Citizens Anymore
These days, law-abiding citizens and criminals alike are using hand-held organizers
to coordinate their daily activities. The New York Times reported that in San
Jose, California, police broke up an identity-theft crime ring in October 2002.
Using search warrants, police seized and examined the hand-helds of the suspects,
which contained the names of more than 20 victims along with their personal
information and e-mail confirmations of transfers from victims’ bank accounts.
This is just one example of how data from hand-helds has been used to prosecute
criminals, and to better understand how and with whom they operate.
The full story, "A Palmtop for the Prosecution," by Jennifer Lee (October 24, 2002) can be viewed at:
http://www.nytimes.com/2002/10/24/technology/circuits/24palm.html (Registration required.)
Chapter 4
Sidebar Public Access to Microsoft and Customer Information
On November 19, 2002, Microsoft took a public file server offline after Internet
users discovered that the system contained scores of internal Microsoft documents,
including a huge customer database with millions of entries. Normally, the file
transfer protocol server enables Microsoft customers to upload or download files
to and from the Product Support team. However, an ineffective security policy,
allowed the public to have full access to folders containing confidential company
and customer information.
The full story, "Microsoft Spills Customer Data," by Brian McWilliams (November 20, 2002) can be viewed at:
http://www.wired.com/news/infostructure/0,1377,56481,00.html
Sidebar Hacking Made Easier in Complex Networks
The FCC chartered the Network Reliability and Interoperability Council to recommend
ways for companies to stop cyberattacks after 9/11. Bill Hancock, chair of the
council, stated that "Over time, we're getting very sophisticated attacks
from morons," implying that hackers don't need to be highly skilled to
cause trouble. The Council made its initial recommendations based on existing
industry best practices, which many companies don't often follow. The complexity
of today's networks has created new threats and vulnerabilities not present
in simple networks used just a decade ago. The full story, "Complex Networks
Too Easy to Hack," by Michael Grebb (December 9, 2002) can be viewed at:
http://www.wired.com/news/politics/0,1283,56766,00.html
Sidebar Increasing Risk for Internet Collapse?
Tony Grubesic, assistant professor of geography at the University of Cincinnati,
led a group of scientists from Ohio State University in carrying out simulated
attacks on key internet hubs to show how vulnerable the worldwide network is
to disruption, disaster, or terrorism. The scientists warned that the network
would unravel itself if the major nodes of the internet were destroyed, with
suburbs and rural areas gradually cut off from the internet. Grubesic compared
the internet to the air transportation system. A delay or disruption at O’Hare
will cause a ripple effect across all other airports with which it is linked.
The same would occur in the cities considered to be the major nodes of the internet.
The researchers' work will appear in the February 2003 edition of Telematics
and Informatics.
The full story, "Risk of Internet Collapse Rising," (November 26, 2002) can be viewed at:
http://news.bbc.co.uk/1/hi/technology/2514651.stm
Sidebar Cyberterrorism Predictions for 2003
IDC, a technology research firm, has laid out its 2003 predictions for information
technology and cyber security. The first was "A major cyberterrorism event
will disrupt the economy and bring the Internet to its knees for a day or two,"
an increasing threat for the U.S. because of the potential war with Iraq. IDC
makes its predictions by polling more than 700 analysts. Last year, seven of
its 10 predictions were correct. Predictions are included for several areas
including wireless, telecommunications, and digital imaging.
The full story, "IDC: Cyberterror and Other Prophecies," by Ed Frauenheim (December 12, 2002) can be viewed at:
http://news.com.com/2100-1001-977780.html?tag=fd_top
Sidebar New Way to Stop Computer Virus Epidemics
In 2001, the Code Red virus infected 350,000 computers in 14 hours. Matthew
Williamson, researcher at the Hewlett-Packard laboratories in Bristol, England,
has developed a new approach to slow the spread of computer viruses so that
"engineers can finish their pizzas and get to the scene of the crime."
He explained that once a virus infects a computer, it will try to connect to
other computers as fast as possible to spread the virus further. Uninfected
machines do not make the connections at this speed, so Williamson’s idea
is to "limit the rate at which a computer can connect to other computers"
by use of a throttle, which alerts people to an attack.
The full story, "Throttled at Birth," (November 21, 2002) can be viewed at:
http://www.economist.com/science/displayStory.cfm?story_id=1454331
Extras
Author's Site
Sample Content
Online Sample Chapters
Downloadable Sample Chapter
Download the Sample
Chapter related to this title.
Table of Contents
Foreword.
Preface to the Third Edition.
1. Is There a Security Problem in Computing?
What Does “Secure” Mean? Attacks. The Meaning of Computer Security. Computer Criminals. Methods of Defense. What's Next. Summary. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
2. Elementary Cryptography.
Terminology and Background. Substitution Ciphers. Transposition (Permutations). Making “Good” Encryption Algorithms. The Data Encryption Standard (DES). The AES Encryption Algorithm. Public Key Encryption. The Uses of Encryption. Summary of Encryption. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
3. Program Security.
Secure Programs. Nonmalicious Program Errors. Viruses and Other Malicious Code. Targeted Malicious Code. Controls Against Program Threats. Summary of Program Threats and Controls. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
4. Protection in General-Purpose Operating Systems.
Protected Objects and Methods of Protection. Memory and Address Protection. Control of Access to General Objects. File Protection Mechanisms. User Authentication. Summary of Security for Users. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
5.Designing Trusted Operating Systems.
What Is a Trusted System? Security Policies. Models of Security. Trusted Operating System Design. Assurance in Trusted Operating Systems. Implementation Examples. Summary of Security in Operating Systems. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
6. Database Security.
Introduction to Databases. Security Requirements. Reliability and Integrity. Sensitive Data. Inference. Multilevel Databases. Proposals for Multilevel Security. Summary of Database Security. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
7. Security in Networks.
Network Concepts. Threats in Networks. Network Security Controls. Firewalls. Intrusion Detection Systems. Secure E-Mail. Summary of Network Security. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
8. Administering Security.
Security Planning. Risk Analysis. Organizational Security Policies. Physical Security. Summary. Terms and Concepts. To Learn More. Exercises.
9. Legal, Privacy, and Ethical Issues in Computer Security.
Protecting Programs and Data. Information and the Law. Rights of Employees and Employers. Software Failures. Computer Crime. Privacy. Ethical Issues in Computer Security. Case Studies of Ethics. Case I: Use of Computer Services. Case II: Privacy Rights. Case III: Denial of Service. Case IV: Ownership of Programs. Case V: Proprietary Resources. Case VI: Fraud. Case VII: Accuracy of Information. Case VIII: Ethics of Hacking or Cracking. Codes of Ethics. Conclusion of Computer Ethics. Terms and Concepts. To Learn More. Exercises.
10. Cryptography Explained.
Mathematics for Cryptography. Symmetric Encryption. Public Key Encryption Systems. Quantum Cryptography. Summary of Encryption. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Bibliography.
Index.
Preface
Preface to the Third Edition
Every day, the news media give more and more visibility to the effects of computer security on our daily lives. For example, on a single day in June 2002, the Washington Post included three important articles about security. On the front page, one article described the possibility that a terrorist group was plotting to—and actually could—invade computer systems and destroy huge dams, disable the power grid, or wreak havoc with the air traffic control system. A second article, also on the front page, considered the potential loss of personal privacy as governments and commercial establishments begin to combine and correlate data in computer-maintained databases. Further back, a third article discussed yet another software flaw that could have widespread effect. Thus, computer security is no longer relegated to esoteric discussions of what might happen; it is instead a hot news topic, prominently featured in newspapers, magazines, radio talk shows, and documentary television programs. The audience is no longer just the technical community; it is ordinary people, who feel the effects of pervasive computing.
In just a few years the world's public has learned the terms "virus," "worm," and "Trojan horse" and now appreciates the concepts of "unauthorized access," "sabotage," and "denial of service." During this same time, the number of computer users has increased dramatically; with those new users have come new uses: electronic stock trading, sharing of medical records, and remote control of sensitive equipment, to name just three. It should be no surprise that threats to security in computing have increased along with the users and uses.
Why Read This Book?
Are your data or programs at risk? If you answer "yes" to any of the following questions, you have a potential security risk.
- Do you connect to the Internet?
- Do you read e-mail?
- Have you gotten any new programs—or any new versions of old programs—within, say, the last year?
- Is there any important program or data item of which you do not have a second copy stored somewhere other than on your computer?
Almost every computer user today meets at least one of these conditions, and so you, and almost every other computer user, are at risk of some harmful computer security event. Risk does not mean you should stop using computers. You are at risk of being hit by a falling meteorite or of being robbed by a thief on the street, but you do not hide in a fortified underground bunker all day. You learn what puts you at risk and how to control it. Controlling a risk is not the same as eliminating it; you simply want to bring it to a tolerable level.
How do you control the risk of computer security?
- Learn about the threats to computer security.
- Understand what causes these threats by studying how vulnerabilities arise in the development and use of computer systems.
- Survey the controls that can reduce or block these threats.
- Develop a computing style—as a user, developer, manager, consumer, and voter—that balances security and risk.
Users and Uses of This Book
This book is intended for the study of computer security. Many of you want to study this topic: college and university students, computing professionals, managers, and users of all kinds of computer-based systems. All want to know the same thing: how to control the risk of computer security. But you may differ in how much information you need about particular topics: Some want a broad survey, whereas others want to focus on particular topics, such as networks or program development.
This book should provide the breadth and depth that most readers want. The book is organized by general area of computing, so that readers with particular interests can find information easily. The chapters of this book progress in an orderly manner, from general security concerns to the particular needs of specialized applications, and finally to overarching management and legal issues. Thus, the book covers five key areas of interest:
- Introduction: threats, vulnerabilities, and controls
- Encryption: the "Swiss army knife" of security controls
- Code: security in programs, including applications, operating systems, database management systems, and networks
- Management: implementing and maintaining a computing style
- Law, privacy, ethics: nontechnical approaches by which society controls computer security risks
These areas are not equal in size; for example, more than half the book is devoted to code because so much of the risk is at least partly caused by program code that executes on computers.
The first chapter introduces the concepts and basic vocabulary of computer security. The second chapter provides an understanding of what encryption is and how it can be used or misused. Just as a driver's manual does not address how to design or build a car, Chapter 2 is for users of encryption, not designers of new encryption schemes. Chapters 3 through 7 cover successively larger pieces of software: individual programs, operating systems, complex applications like database management systems, and finally networks, which are distributed complex systems. Chapter 8 discusses managing and administering security, and finding an acceptable balance between threats and controls. Chapter 9 covers the way society at large addresses computer security, through its laws and ethical systems and through its concern for privacy. Finally, Chapter 10 returns to cryptography, this time to look at the details of the encryption algorithms themselves.
Within that organization, you can move about, picking and choosing topics of particular interest. Everyone should read Chapter 1 to build a vocabulary and a foundation. It is wise to read Chapter 2 because cryptography appears in so many different control techniques. Although there is a general progression from small programs to large and complex networks, you can in fact read Chapters 3 through 7 out of sequence or pick topics of greatest interest. Chapters 8 and 9 may be just right for the professional looking for nontechnical controls to complement the technical ones of the earlier chapters. These chapters may also be important for the computer science student who wants to look beyond a narrow view of bytes and protocols. Chapter 10 is for people who want to understand some of the underlying mathematics and logic of cryptography.
What background should you have to appreciate this book? The only assumption is an understanding of programming and computer systems. Someone who is an advanced undergraduate or graduate student in computer science certainly has that background, as does a professional designer or developer of computer systems. A user who wants to understand more about how programs work can learn from this book, too; we provide the necessary background on concepts of operating systems or networks, for example, before we address the related security concerns.
This book can be used as a textbook in a one- or two-semester course in computer security. The book functions equally well as a reference for a computer professional or as a supplement to an intensive training course. And the index and extensive bibliography make it useful as a handbook to explain significant topics and point to key articles in the literature. The book has been used in classes throughout the world; instructors often design one-semester courses that focus on topics of particular interest to students or that relate well to the rest of a curriculum.
What Is New in This Book?
This is the third edition of Security in Computing, first published in 1989. Since then, the specific threats, vulnerabilities, and controls have changed, even though many of the basic notions have remained the same.The two changes most obvious to people familiar with the previous editions are networks and encryption. Networking has evolved even since the second edition was published, and there are many new concepts to master, such as distributed denial-of-service attacks or scripted vulnerability probing. As a consequence, the networks chapter is almost entirely new. Previous editions of this book presented encryption details in the same chapter as encryption uses. Although encryption is a fundamental tool in computer security, in this edition the what is presented straightforwardly in Chapter 2, while the how is reserved for the later Chapter 10. This structure lets readers get to the technical uses of encryption in programs and networks more quickly.There are numerous other additions, of which these are the most significant ones:- the Advanced Encryption System (AES), the replacement for the Data Encryption System (DES) from the 1970s
- programming flaws leading to security failures, highlighting buffer overflows, incomplete mediation, and time-of-check to time-of-use errors
- recent malicious code attacks, such as Code Red
- software engineering practices to improve program quality
- assurance of code quality
- authentication techniques such as biometrics and password generators
- privacy issues in database management system security
- mobile code, agents, and assurance of them
- denial-of-service and distributed denial-of-service attacks
- flaws in network protocols
- security issues in wireless computing
- honeypots and intrusion detection
- copyright controls for digital media
- threats to and controls for personal privacy
- software quality, vulnerability reporting, and vendors' responsibilities
- the ethics of hacking
In addition to these major changes, there are numerous small corrective and clarifying ones, ranging from wording changes to subtle notational changes for pedagogic reasons to replacement, deletion, rearrangement, and expansion of sections.