Secure Computing

Threats and Safeguards

Rita C. Summers

Publisher: McGraw-Hill, 1997, 687 pages

ISBN: 0-07-069419-2

Keywords: Information Security, IT Security

Last modified: May 24, 2021, 11:08 a.m.

The Most Comprehensive Single Guide to Computer Security on the Market Today

From desktops to databases, this surefire guide offers you a complete introduction to the principles, problems, and methods for securing computer systems — covering a wide range of environments, operating systems, threats, and measures.

Written by a noted expert in the field, the book examines the trends in society and technology that make computer security important and that affect security solutions. Included is detailed coverage of:

  • Threats from intruders and insiders, and from errors and natural disasters
  • The theoretical foundations of computer security
  • How secure systems are developed, what services they must provide, and how to evaluate them
  • How security mechanisms and services work, and how to use them
  • Network and Internet security, LAN security, and database security
  • Managing computer security

You'll find a wealth of material on cryptography, security hardware and software, formal models, risk analysis, electronic commerce, legislation, and privacy — plus case histories, examples, summaries, exercises, and references to sharpen your understanding

  1. Foundations
    1. Introduction
      • Concepts
        • Computer Security Policy
        • Vulnerabilities, Threats, and Safeguards
        • Approaches to Providing Security
        • Security, Safety, and Quality
      • Security Principles
        • OECD Guidelines for the Security of Information Systems
        • Principles Underlying Security Policy
      • Overview of Threats and Vulnerabilities
      • Overview of Safeguards
        • Protection Strategies
        • Safeguards In Three Realms
        • Framework for Technical Safeguards
      • Preview of the Chapters
      • Notes on Terminology
    2. The Context for Computer Security
      • Overview of the Chapter
      • The Changing Context
        • Application Trends
        • Computing Environment Trends
      • Privacy
        • Background
        • Threats to Privacy
        • Privacy Law and Policy
        • Communications Privacy
      • Fraud and Abuse
        • Types of Abuse
        • Examples of Abuse
        • The Legal Environment
      • Standards and Criteria
        • Computer Security Standards
        • Networks Standards
      • Cryptography Policy
        • Background
        • Policy Issues
      • Ethics and Computer Security
        • Ethical Principles
        • Privacy
        • Professional Ethics
        • Ethics and the User
      • Summary
      • Bibliographic Notes
        • The Changing Context
        • Privacy
        • Fraud and Abuse
        • Standards and Criteria
        • Cryptography Policy
        • Ethics and Computer Security
      • Exercises
      • References
    3. Threats
      • Concepts, Cases, and Categories
        • Vulnerability, Threat, and Safeguard
        • Case Histories
        • Types of Misuse
        • Types of Vulnerabilities
      • Perpetrators
        • Insiders
        • Hackers
        • Spies
      • Attack Methods
        • Preparing and Planting the Attack
        • Activating the Attack
        • Missions
        • Attacks on Safeguards
      • Malicious Code
      • Trojan Horses
        • Perpetrators Steps
        • Threats to Integrity and Confidentiality
      • Viruses
        • Theory
        • How a Virus Works
        • Sources of Viral Infection
        • Safeguards
      • Worms
        • Worm Incidents
        • The Internet Worm
        • Lessons from the Internet Worm
      • Summary
      • Bibliographic Notes
      • Exercises
      • References
    4. Policies and Models
      • Real-World Security Policy
        • Principles Underlying Real-World Security Policies
        • Roles in Real-World Security Policy
        • Real-World Policies for Confidentiality
        • Policies and Controls for Integrity
        • Real-World Policy Examples
        • Core Policy Elements
      • Security Policy in the Computing World
      • Security Models
        • History of Computer Security Models
        • Disciplines Used in Models
        • Criteria for Good Models
      • Access Control Models
        • The Access Matrix Model
        • Capabilities and the Take-Grant Model
        • Limitations of Discretionary Access Control
        • The Bell-LaPadula Model
        • Application-Oriented Models
        • Authorization
        • A Model for Authorization
      • Information Flow Models
        • Information theory
        • A Lattice Model of Information Flow
        • Noninterference
        • Issues in Information Flow Security
        • Composition
      • Integrity Models
        • Definitions and Goals
        • Biba Model
        • Conflict with Confidentiality
        • Clark-Wilson Model
        • Modeling External Consistency
      • Denial of Service
      • Security Policy in Practice
        • Policies, Models, and the Criteria
        • Establishing and Carrying Out Security Policy
      • Summary
      • Bibliographic Notes
      • Exercises
      • References
  2. Methods
    1. Cryptography
      • Overview
        • Concepts and Definitions
        • A Note on Terminology and Notation
        • Types of Cryptosystems
        • Cryptographic Protocols
        • Digital Signatures
        • Evaluation of Cryptosystems and Protocols
      • Theoretical Foundations
        • Classical Cryptosystems
        • Computational Complexity
        • Number Theory
        • Interactive Proof Systems
      • Cryptographic Techniques
        • Classical Cryptosystems and Techniques
        • Block and Stream Ciphers
        • One-Way Functions
        • The Data Encryption Standard
        • IDEA
        • SKIPJACK
        • Stream Ciphers
      • Public Key Cryptography
        • Diffie-Hellman Concepts
        • How to Build a Public Key Cryptosystem
        • Trapdoor Knapsacks
        • The Rivest-Shamir-Adleman System
        • ElGamal Scheme
      • Authentication of Information
        • Threats to Message Integrity
        • Cryptographic Methods for Message Authentication
        • Digital Signatures
      • Key Management
        • Key Generation
        • Key Distribution
        • Key Management for Public Key Systems
        • Key Escrow
      • Cryptographic Protocols
        • A Simple Cryptographic Protocol
        • Arbitrated and Nonarbitrated Protocols
        • Some Protocols
        • Design and Analysis of Protocols
      • Summary
      • Bibliographic Notes
        • General Cryptography
        • Theoretical Foundations
        • Cryptographic Techniques
        • Public Key Cryptography
        • Authentication of Information
        • Key Management
        • Cryptographic Protocols
      • Exercises
      • References
    2. Designing and Building Secure Systems
      • Software Engineering
        • The Software Life Cycle
        • Abstraction and Information Hiding
        • Operating System Models
        • Object-Oriented Systems
        • Formal Methods
        • Verification and Validation
      • Security Flaws
        • Validation Flaws
        • Domain Flaws
        • Serialization Errors
        • Boundary-Condition Flaws
        • Covert Channels
      • Principles of Design for Security
        • Saltzer and Schroeder Principles
        • Other Principles
      • Architectural Approaches
        • Kernel Approach
        • Hierarchical Layers of Abstraction
        • TCB Subsets
        • Security Guards
        • Controlled Application Sets
      • Security Evaluation Criteria
        • The OSI Security Standards
        • Trusted Computer System Evaluation Criteria (TCSEC)
        • Information Technology Security Evaluation Criteria (ITSEC)
        • Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
        • Problems and Directions
      • The Development Process and Security
        • Security Requirements Specification
        • Formal Methods for Security
        • Methodologies and Languages
        • Using Existing Software
        • Testing for Security
        • Documentation
        • Configuration Management and Trusted Distribution
      • Summary
      • Bibliographic Notes
        • Software Engineering
        • Principles of Design for Security
        • Architectural Approaches
        • Security Evaluation Criteria
        • The Development Process and Security
      • Exercises
      • References
    3. Protection Mechanisms in Hardware Architecture and Operating Systems
      • Overview of Concepts and Mechanisms
      • Protection Problems
      • History and Trends
      • Basic Protection Mechanisms
        • Processes
        • Interprocess Communication
        • Protection Domains and Rings
        • Representing Access Control Information
        • Memory Protection
      • Examples of Protection Systems
        • Memory Protection and Rings in Multics
        • The Mach Kernel and Interprocess Communication
        • Intelx86 Protection
        • Protection and Translation: Examples
      • Capability Systems
        • Capability Systems: Advantages and Disadvantages
        • Protecting Capabilities
        • Controlling Propagation of Capabilities
        • The Cambridge CAP Computer
        • Hydra and Rights Amplification
        • Capabilities in the Amoeba Distributed Operating System
        • Capabilities and Multilevel Systems
      • Security Kernels
        • Goals of Kernel-Based Approach
        • Forms of the Kernel Approach
        • Mechanisms for Security Kernels
        • Examples of Kernel-Based Systems
      • Object Reuse
      • Support for Debugging
      • Summary
      • Bibliographic Notes
      • Exercises
      • References
    4. Security Services in Operating Systems
      • Overview
      • Identification and Authentication
        • Authentication Methods
        • Passwords
        • Authentication Using Token Devices
        • Authentication Using Biometric Methods
        • Mutual Authentication
        • Operating System Requirements
      • Control of System Entry
      • Access Control
        • Subjects
        • Objects
        • Access Rights
        • Subjects, Objects, and Mandatory Access Control
        • Access Validation
        • Attributes for New Objects
        • Constrained Environments
      • Availability and Integrity
        • Why and How Systems Fail
        • Recovery
        • Redundancy
        • Data Integrity
        • Clark-Wilson Integrity
      • Audit
        • Recording Audit Data
        • Protecting Audit Data
        • Reporting and Analysis
      • Security Facilities for Users
        • Privileged Roles
        • Security Administrators
        • Auditors
        • Operators
        • System Programmers
        • Users
        • Documentation
      • Windowing System Security
        • The X Window System
        • Security Weaknesses
        • Compartmented Mode Workstation and Trusted X Window
      • UNIX Security
        • Identification and Authentication
        • Access Control
        • Security Limitations of Traidtional UNIX
        • Securing Traditional UNIX
        • System V Enhanced Security
      • MVS Security
        • Identification and Authentication
        • Access Control
        • Privilege
        • Audit
      • OpenVMS Security
      • Windows NT Security
        • Windows NT Structure
        • Objects and Object Security
        • Identification and Authentication
        • Access Control
      • Summary
      • Bibliographic Notes
      • Exercises
      • References
    5. Database Security
      • Overview of the Chapter
      • Database Concepts and Terminology
        • Databases and Database Management Systems
        • The Relational Model of Data
        • Object-Oriented Databases
        • Statistical Databases
      • Database Security Requirements
      • Security Services for Databases
        • Identification and Authentication
        • Access Control
        • Integrity
      • Multilevel Secure Database Systems
        • Extending the Relational Model
        • Concurrency Control
        • Architectures for Multilevel Secure Database Systems
        • Multilevel Secure DBMS Products
        • Multilevel Secure DBMS Research Projects
      • Security for Object-Oriented Databases
        • Object-Oriented Database Management Systems
        • Authorization Models for Discretionary Access Control
        • Models for Mandatory Access Control
        • Clark-Wilson Integrity Interpretation
      • Inference
        • Statistical Databases
        • Inference in Multilevel Secure Database Systems
      • Summary
      • Bibliographic Notes
        • Database Concepts
        • Security Services for Databases
        • Multilevel Secure Database Systems
        • Security for Object-Oriented Databases
        • Inference
      • Exercises
      • References
  3. Security in Computer Networks
    1. Network Security
      • Introduction
        • Concepts and Definitions
        • Network Security
        • Overview of the Chapter
      • Architecture and Standards
        • Network Architecture
        • Network Security Architecture
        • Open Systems  Interconnection (OSI)
        • Internet Architecture
        • Network Security Standards
      • Threats to Network Security
        • Vulnerabilities of Transmission Media
        • Types of Attacks
      • Cryptography in Network Security
        • Cryptography Review
        • The Place of Cryptography
        • Generic Security Services
      • Authentication
        • Types of Identity Authentication
        • Mutual Authentication and Authentication Servers
        • Issues in Authentication Service Design
        • The Kerberos Authentication System
        • X.509 Directory Authentication
        • KryptoKnight
        • S/KEY One-Time Passwords
      • Access Control, Confidentiality, and Integrity
        • Access Control
        • Confidentiality
        • Integrity and Nonrepudiation
      • Network Management
        • OSI Systems Management
        • SNMP
      • Electronic Mail Security
        • Privacy Enhanced Mail
        • Pretty Good Privacy
      • Internet Security
        • Vulnerabilities
        • Firewalls
        • Protocol Enhancement
        • World Wide Web Security
      • Some Architectures
        • Trusted Network Interpretation
        • DoD Network Security
        • Secure Data Network System
      • Summary
      • Bibliographic Notes
        • Architecture and Standards
        • Threats
        • Cryptography in Network Security
        • Authentication
        • Access Control, Confidentiality, and Integrity
        • Network Management
        • Electronic Mail Security
        • Internet Security
        • Some Architectures
      • Exercises
      • References
    2. Distributed Systems Security
      • Concepts and Definitions
      • Overview of the Chapter
      • Security of Local-Area Networks
        • Local-Area Networks: Uses and Characteristics
        • Security Threats and Security Advantages
        • LAN Security Services
        • Integrity and Availability
        • Backup
        • Transaction Support
        • Virus Protection
        • Multilevel Security
      • Distributed File Systems
        • Network File Systems
        • Andrew File System and AFS
      • Novell NetWare Security
        • Objects, Directory Services, and Administrators
        • Control of System Entry and Authentication
        • Access Control
        • Integrity and Availability
        • Packet Integrity
        • Audit and C2
      • Single Sign-On
        • Requirements
        • Implementations
      • Remote Access
        • How Remote Access Works
        • Authentication
        • Other Security Services
        • Telephone Company and Other Services
      • Mobile Computing and Wireless Communication
      • Distributed Computing
        • Secure Remote Procedure Call
        • Distributed Computing Environment
        • Authentication in a Distributed Operating System
      • Summary
      • Bibliographic Notes
      • Exercises
      • References
  4. Management and Analysis
    1. Managing Computer Security
      • Introduction
        • The Job Security Management
        • Overview of the Chapter
      • Organizational Structure
        • Basic Goals
        • Possible Management Structures
      • Computer Security Policy
        • Types of Policies
        • Setting Policy
        • Policy Issues
        • Implementing Policy
      • People and Security
        • Selecting Employees
        • Training and Awareness
        • Security Roles and Responsibilities
        • Certifying Information Security Professionals
        • Organizational and Administrative Controls
        • The Altered Workplace
        • Service Personnel
      • Operations Security
        • Organization and Roles
        • Controls at Interfaces
        • Media Control
        • Backup
        • Configuration Management
      • Physical Security
        • What Physical Security Protects
        • Threats
        • Management Considerations
        • Safeguards
        • Protecting Against Intrusion
        • Protection Against Emergencies
        • Protecting Against Electrical Problems
        • Protecting Against Fire
        • Protecting Water Damage
      • Contingency Planning
        • The Value of Contingency Planning
        • Contingency Planning Steps
        • Developing a Contingency Plan
        • What the Contingency Plan Covers
        • The Contingency Team
        • Stages
      • Incident Response
        • Incident Response and Computer Abuse Teams
        • About Investigation
        • Before Incidents Occur
        • During an Incident
        • After an Incident
      • Summary
      • Bibliographic Notes
      • Exercises
      • References
    2. Analyzing Security
      • Introduction
        • Overview of the Chapter
      • Risk Analysis
        • A Simple Example
        • Steps in a Risk Analysis
        • Identifying and Valuing Assets
        • Analyzing Threats and Vulnerabilities
        • Calculating Risks
        • Analyzing Safeguards
        • Risk Analysis Methodologies and Tools
        • Evaluation of Risk Analysis
      • Information Systems Auditing
        • The Financial Auditing Process
        • Information Systems Auditing
        • Auditor Participation in Systems Development
      • Vulnerability Testing
        • Testing Approaches
        • Testing Techniques
      • Intrusion Detection
        • Approaches
        • System Design Issues
        • Intrusion Detection Systems
      • Summary
      • Bibliographic Notes
        • Risk Analysis
        • Information Systems Auditing
        • Vulnerability Testing
        • Intrusion Detection
      • Exercises
      • References

Reviews

Secure Computing

Reviewed by Roland Buresund

Good ******* (7 out of 10)

Last modified: Nov. 13, 2008, 2:05 a.m.

A good guide to IT security.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required