Computer Security ^{3rd Ed.}

Computer Security, Third Edition contains the best ideas on recent advances in computer hardware and the spread of personal computer technology. It includes a complete and comprehensive introduction to computer security, as well as coverage of computer crime, systems security, and cryptology.

Convinced that there is no such thing as computer security, only various degrees of insecurity, John Carroll presents the best concepts that high technology, classical security practice, and common sense have to offer to help reduce insecurity to the lowest possible level. This thoroughly enhanced third edition is an essential text for everyone involved with the operation and security of the computer complexes that are the heart of today's businesses.

In addition to completely updating the original matter, Computer Security, Third Edition includes new information on:

• computer crime and the law
• physical security
• communications
• surveillance
• risk management

• Part I: The Threat to Computer Security
1. Essentials of Computer Security
• Unique EDP Security Problems
• EDP Security in a Nutshell
• Computers and Crime; Know Your Enemy!
• The Anatomy of Computer Crime
2. Computer Crime and the Law
• United States
• Australia
• Canada
• United Kingdom
• New Zealand
• Continental Europe
• Conclusions
• Classic Case Histories
• Part II: Security Management Considerations
3. Organizing for EDP Security
• EDP Security in the Public Sector
• EDP Security in the Private Sector
• Corporate EDP Security
• Duties of the Security Coordinator
• Principles of Security Management
• New Challenges for IT Security Management
4. Protection of Information
• Classifications — The Government Model
• Classifications — The Corporate Model
• Special Problems with EDP
• Marking Classified Matter
• Storing Classified Matter
• Destroing Classified Matter
• Residual Memory in Magnetic Media
• Procedural Safeguards for Classified Matter
• Conclusion
5. Screening and Management of Personnel
• Management Responsibility
• Relations with Vendors
• Categories of Security Clearance
• Security Screening of Employees
• Personnel Security Policies
• Conclusion
• Part III: Physical Security
6. Physical Access Control
• Basics of Access Control
• Automatic Access Control
• Key Access Control
• Concentric Controlled Perimeters
• Outer Perimeter Access
• Building Access Control
• Control of Access to Restricted Areas
• Material Control in Restricted Areas
• Computer Room Access Control
7. Physical Security
• The Fortress Concept
• Outer Perimeter Defense
• Building Perimeters
• Guarded Areas
• Restricted Area Perimeter
• Computer Room Security
8. Environmental Security
• Electric Power
• Grounding
• Interference Suppression
• Dust Control
• Environmental Controls
9. Disaster Control
• Locating the Computer Center
• Protecting the Computer Center
• Automatic Fire Detection
• General Fire Safety Planning
• Disaster Recovery
• Part IV: Communications Security
10. Line Security
• Communication Security Subfields
• Security of Communications Cables
• Interior Communications Lines
• Telephone Instrument Security
• Additional Line Security Considerations
• Local Area Networks
• Space Radio Interception
11. Transmission Security
• General Consideration
• Operating Procedures
• Speech Privacy
• Error-Proof Codes
• Traffic Analysis
12. Cryptographic Security
• Introduction to Cryptology
• Overview of Ciphers
• How Ciphers Work
• How DES Works
• Network Communications Security
• Weaknesses of DES
• Ways to Use DES
• Asymmetrical Ciphers
• El Gamal
• Crypto Procedures
• Cryptanalysis
• Summary
13. Emanations Security
• Emanation Problems
• Probability of Interception
• Defense Mechanisms
• Measuring Electromagnetic Emanation Levels
• Additional Defenses
• Defense Against Acoustical Emanations
14. Technical Security
• Victimization of EDP Centers
• Categories of Technical Surveillance
• Defenses Against Technical Surveillance
• Part V: Systems Security
15. Systems Identification
• Introduction to System Security
• Guidelines for a Trusted Computing Base
• Personal Identification
• Other User Identification Systems
• Identifying Specified Assets
• System Relationships
• Privacy Considerations
• Freedom of Information
16. Isolation in Computer Systems
• Defense Strategies
• Processing Modes
• temporal Isolation
• Spatial Isolation
• System Architecture
• Cryptographic Isolation
• Restriction of Privilege
• Virtual Machine Isolation
• Trends in User Isolation
17. Systems Access Control
• Basic Principles of Access
• Authentication
• Systems Access
• Internal Access
• Access Privileges
• Keeping Hackers Out
• System Security Add-on Packages
18. Detection and Surveillance
• Threat Monitoring
• Trend Analysis
• Investigations
• Auditing
• Comprehensive Action
• The Human Factor in Computer Crime
19. Systems Integrity
• Program Security
• Error Control
• Privacy in Statistical Data Bases
• Protection of Security Functions
• Commercial Security Model
• Object-Oriented Model
• Conclusion
• Bibliography
20. Systems Reliability and Security
• Hardware
• Software
• Changes
• System Backup
• Record-Keeping and Security
• Logs
• Backup Files
• Restart and Recovery
• Record Retention
• Inventories and Lists
21. Security and Personal Computers
• Introduction
• Physical Security
• Environmental Protection
• Protection of Removable Media
• Electromagnetic Emanations
• Security Attributes of Microprocessors
• PC Operating Systems
• Local-Area Network (LAN) Security
• Security in Remote Support Programs
• Database Security
• Security in Application Programs
• Backup
• Anti-Virus Defenses
• Security Add-ons for PC Operating Systems — Trusted Computer Systems Evaluation
• New Thinking in PC Security
• Conclusions
• Bibliography
• Part VI: Information Security Risk Analysis
22. Systems Approach to Risk Management
• Introduction
• Applications of Risk Analysis
• IT Security Management
• Information and Risk Analysis
• Information Security by Consensus
• State of Infosec Risk Analysis
• General Systems Approach
• Cybernetic Control Cycle
• Problems in Risk Analysis
• Cybernetic Model of Activity
• Representative Risk-Analysis Packages
• Specific Recommendations
23. Threat Assessment
• Introduction
• Properties of Threats
• Estimating Likelihood
• Trend Analysis
24. Assets and Safeguards
• Assets
• Vulnerabilities
• Assets and Impacts
• Risk-Analysis Modeling
• Cost-of-Loss Model
• Safeguards
• Constraints
25. Keeping Secrets in Computers
• Threats and Legal Remedies
• Self-Help Measures
• National Security Models
• Threat Risk Assessment
26. Modes of Risk Analysis
• Compliance Auditing
• Requirements Analysis
• Security Inspection and Evaluation
• Cost-Benefit Analysis
• Life-Cycle Software Development
• Development of Security Software
• The Workshop Model
• Transaction Model
• Appendix: Sample Log Forms

Covers nearly everything.