Atnaujinkite slapukų nuostatas

Computer Security 3rd edition [Minkštas viršelis]

3.73/5 (105 ratings by Goodreads)
(Technical University of Hamburg-Harburg)
  • Formatas: Paperback / softback, 464 pages, aukštis x plotis x storis: 231x183x23 mm, weight: 885 g
  • Išleidimo metai: 20-Dec-2010
  • Leidėjas: John Wiley & Sons Inc
  • ISBN-10: 0470741155
  • ISBN-13: 9780470741153
Kitos knygos pagal šią temą:
Computer Security 3rd editionDidesnis paveikslėlis
  • Formatas: Paperback / softback, 464 pages, aukštis x plotis x storis: 231x183x23 mm, weight: 885 g
  • Išleidimo metai: 20-Dec-2010
  • Leidėjas: John Wiley & Sons Inc
  • ISBN-10: 0470741155
  • ISBN-13: 9780470741153
Kitos knygos pagal šią temą:
Pastovi nuoroda: https://www.kriso.lt/db/9780470741153.html
Raktažodžiai:
A completely up-to-date resource on computer security

Assuming no previous experience in the field of computer security, this must-have book walks you through the many essential aspects of this vast topic, from the newest advances in software and technology to the most recent information on Web applications security. This new edition includes sections on Windows NT, CORBA, and Java and discusses cross-site scripting and JavaScript hacking as well as SQL injection. Serving as a helpful introduction, this self-study guide is a wonderful starting point for examining the variety of competing security systems and what makes them different from one another.

  • Unravels the complex topic of computer security and breaks it down in such a way as to serve as an ideal introduction for beginners in the field of computer security
  • Examines the foundations of computer security and its basic principles
  • Addresses username and password, password protection, single sign-on, and more
  • Discusses operating system integrity, hardware security features, and memory
  • Covers Unix security, Windows security, database security, network security, web security, and software security

Packed with in-depth coverage, this resource spares no details when it comes to the critical topic of computer security.

Chapter 1 History of Computer Security
1(12)
1.1 The Dawn of Computer Security
2(1)
1.2 1970s-Mainframes
3(1)
1.3 1980s-Personal Computers
4(2)
1.3.1 An Early Worm
5(1)
1.3.2 The Mad Hacker
6(1)
1.4 1990s-Internet
6(2)
1.5 2000s-The Web
8(2)
1.6 Conclusions-The Benefits of Hindsight
10(1)
1.7 Exercises
11(2)
Chapter 2 Managing Security
13(18)
2.1 Attacks and Attackers
14(1)
2.2 Security Management
15(6)
2.2.1 Security Policies
16(1)
2.2.2 Measuring Security
17(2)
2.2.3 Standards
19(2)
2.3 Risk and Threat Analysis
21(8)
2.3.1 Assets
22(1)
2.3.2 Threats
23(1)
2.3.3 Vulnerabilities
24(1)
2.3.4 Attacks
24(2)
2.3.5 Common Vulnerability Scoring System
26(1)
2.3.6 Quantitative and Qualitative Risk Analysis
26(2)
2.3.7 Countermeasures-Risk Mitigation
28(1)
2.4 Further Reading
29(1)
2.5 Exercises
29(2)
Chapter 3 Foundations of Computer Security
31(18)
3.1 Definitions
32(8)
3.1.1 Security
32(2)
3.1.2 Computer Security
34(1)
3.1.3 Confidentiality
34(1)
3.1.4 Integrity
35(1)
3.1.5 Availability
36(1)
3.1.6 Accountability
37(1)
3.1.7 Non-repudiation
38(1)
3.1.8 Reliability
38(1)
3.1.9 Our Definition
39(1)
3.2 The Fundamental Dilemma of Computer Security
40(1)
3.3 Data vs Information
40(1)
3.4 Principles of Computer Security
41(4)
3.4.1 Focus of Control
42(1)
3.4.2 The Man-Machine Scale
42(2)
3.4.3 Complexity vs Assurance
44(1)
3.4.4 Centralized or Decentralized Controls
44(1)
3.5 The Layer Below
45(2)
3.6 The Layer Above
47(1)
3.7 Further Reading
47(1)
3.8 Exercises
48(1)
Chapter 4 Identification and Authentication
49(16)
4.1 Username and Password
50(1)
4.2 Bootstrapping Password Protection
51(1)
4.3 Guessing Passwords
52(2)
4.4 Phishing, Spoofing, and Social Engineering
54(2)
4.4.1 Password Caching
55(1)
4.5 Protecting the Password File
56(2)
4.6 Single Sign-on
58(1)
4.7 Alternative Approaches
59(4)
4.8 Further Reading
63(1)
4.9 Exercises
63(2)
Chapter 5 Access Control
65(22)
5.1 Background
66(1)
5.2 Authentication and Authorization
66(2)
5.3 Access Operations
68(3)
5.3.1 Access Modes
68(1)
5.3.2 Access Rights of the Bell-LaPadula Model
68(2)
5.3.3 Administrative Access Rights
70(1)
5.4 Access Control Structures
71(2)
5.4.1 Access Control Matrix
71(1)
5.4.2 Capabilities
72(1)
5.4.3 Access Control Lists
72(1)
5.5 Ownership
73(1)
5.6 Intermediate Controls
74(5)
5.6.1 Groups and Negative Permissions
74(1)
5.6.2 Privileges
75(1)
5.6.3 Role-Based Access Control
76(2)
5.6.4 Protection Rings
78(1)
5.7 Policy Instantiation
79(1)
5.8 Comparing Security Attributes
79(5)
5.8.1 Partial Orderings
79(1)
5.8.2 Abilities in the VSTa Microkernel
80(1)
5.8.3 Lattice of Security Levels
81(1)
5.8.4 Multi-level Security
82(2)
5.9 Further Reading
84(1)
5.10 Exercises
84(3)
Chapter 6 Reference Monitors
87(20)
6.1 Introduction
88(2)
6.1.1 Placing the Reference Monitor
89(1)
6.1.2 Execution Monitors
90(1)
6.2 Operating System Integrity
90(1)
6.2.1 Modes of Operation
91(1)
6.2.2 Controlled Invocation
91(1)
6.3 Hardware Security Features
91(8)
6.3.1 Security Rationale
92(1)
6.3.2 A Brief Overview of Computer Architecture
92(3)
6.3.3 Processes and Threads
95(1)
6.3.4 Controlled Invocation-Interrupts
95(1)
6.3.5 Protection on the Intel 80386/80486
96(2)
6.3.6 The Confused Deputy Problem
98(1)
6.4 Protecting Memory
99(4)
6.4.1 Secure Addressing
100(3)
6.5 Further Reading
103(1)
6.6 Exercises
104(3)
Chapter 7 Unix Security
107(24)
7.1 Introduction
108(1)
7.1.1 Unix Security Architecture
109(1)
7.2 Principals
109(2)
7.2.1 User Accounts
110(1)
7.2.2 Superuser (Root)
110(1)
7.2.3 Groups
111(1)
7.3 Subjects
111(2)
7.3.1 Login and Passwords
112(1)
7.3.2 Shadow Password File
113(1)
7.4 Objects
113(3)
7.4.1 The Inode
113(1)
7.4.2 Default Permissions
114(1)
7.4.3 Permissions for Directories
115(1)
7.5 Access Control
116(3)
7.5.1 Set UserID and Set GroupID
117(1)
7.5.2 Changing Permissions
118(1)
7.5.3 Limitations of Unix Access Control
119(1)
7.6 Instances of General Security Principles
119(6)
7.6.1 Applying Controlled Invocation
119(1)
7.6.2 Deleting Files
120(1)
7.6.3 Protection of Devices
120(1)
7.6.4 Changing the Root of the Filesystem
121(1)
7.6.5 Mounting Filesystems
122(1)
7.6.6 Environment Variables
122(1)
7.6.7 Searchpath
123(1)
7.6.8 Wrappers
124(1)
7.7 Management Issues
125(3)
7.7.1 Managing the Superuser
125(1)
7.7.2 Trusted Hosts
126(1)
7.7.3 Audit Logs and Intrusion Detection
126(1)
7.7.4 Installation and Configuration
127(1)
7.8 Further Reading
128(1)
7.9 Exercises
128(3)
Chapter 8 Windows Security
131(24)
8.1 Introduction
132(3)
8.1.1 Architecture
132(1)
8.1.2 The Registry
133(1)
8.1.3 Domains
134(1)
8.2 Components of Access Control
135(7)
8.2.1 Principals
135(2)
8.2.2 Subjects
137(2)
8.2.3 Permissions
139(2)
8.2.4 Objects
141(1)
8.3 Access Decisions
142(3)
8.3.1 The DACL
143(1)
8.3.2 Decision Algorithm
144(1)
8.4 Managing Policies
145(2)
8.4.1 Property Sets
145(1)
8.4.2 ACE Inheritance
145(2)
8.5 Task-Dependent Access Rights
147(3)
8.5.1 Restricted Tokens
148(1)
8.5.2 User Account Control
149(1)
8.6 Administration
150(3)
8.6.1 User Accounts
150(1)
8.6.2 Default User Accounts
150(2)
8.6.3 Audit
152(1)
8.6.4 Summary
152(1)
8.7 Further Reading
153(1)
8.8 Exercises
153(2)
Chapter 9 Database Security
155(22)
9.1 Introduction
156(2)
9.2 Relational Databases
158(4)
9.2.1 Database Keys
160(1)
9.2.2 Integrity Rules
161(1)
9.3 Access Control
162(5)
9.3.1 The SQL Security Model
163(1)
9.3.2 Granting and Revocation of Privileges
163(1)
9.3.3 Access Control through Views
164(3)
9.4 Statistical Database Security
167(5)
9.4.1 Aggregation and Inference
168(1)
9.4.2 Tracker Attacks
169(1)
9.4.3 Countermeasures
170(2)
9.5 Integration with the Operating System
172(1)
9.6 Privacy
173(2)
9.7 Further Reading
175(1)
9.8 Exercises
175(2)
Chapter 10 Software Security
177(28)
10.1 Introduction
178(1)
10.1.1 Security and Reliability
178(1)
10.1.2 Malware Taxonomy
178(1)
10.1.3 Hackers
178(1)
10.1.4 Change in Environment
179(1)
10.1.5 Dangers of Abstraction
179(1)
10.2 Characters and Numbers
179(4)
10.2.1 Characters (UTF-8 Encoding)
179(2)
10.2.2 The rlogin Bug
181(1)
10.2.3 Integer Overflows
181(2)
10.3 Canonical Representations
183(1)
10.4 Memory Management
184(7)
10.4.1 Buffer Overruns
185(1)
10.4.2 Stack Overruns
186(1)
10.4.3 Heap Overruns
187(1)
10.4.4 Double-Free Vulnerabilities
187(2)
10.4.5 Type Confusion
189(2)
10.5 Data and Code
191(2)
10.5.1 Scripting
191(1)
10.5.2 SQL Injection
192(1)
10.6 Race Conditions
193(1)
10.7 Defences
194(7)
10.7.1 Prevention: Hardware
194(1)
10.7.2 Prevention: Modus Operandi
195(1)
10.7.3 Prevention: Safer Functions
195(1)
10.7.4 Prevention: Filtering
195(2)
10.7.5 Prevention: Type Safety
197(1)
10.7.6 Detection: Canaries
197(1)
10.7.7 Detection: Code Inspection
197(2)
10.7.8 Detection: Testing
199(1)
10.7.9 Mitigation: Least Privilege
200(1)
10.7.10 Reaction: Keeping Up to Date
201(1)
10.8 Further Reading
201(1)
10.9 Exercises
202(3)
Chapter 11 Bell-LaPadula Model
205(14)
11.1 State Machine Models
206(1)
11.2 The Bell-LaPadula Model
206(6)
11.2.1 The State Set
207(1)
11.2.2 Security Policies
208(2)
11.2.3 The Basic Security Theorem
210(1)
11.2.4 Tranquility
210(1)
11.2.5 Aspects and Limitations of BLP
211(1)
11.3 The Multics Interpretation of BLP
212(4)
11.3.1 Subjects and Objects in Multics
213(1)
11.3.2 Translating the BLP Policies
214(1)
11.3.3 Checking the Kernel Primitives
214(2)
11.4 Further Reading
216(1)
11.5 Exercises
216(3)
Chapter 12 Security Models
219(16)
12.1 The Biba Model
220(1)
12.1.1 Static Integrity Levels
220(1)
12.1.2 Dynamic Integrity Levels
220(1)
12.1.3 Policies for Invocation
221(1)
12.2 Chinese Wall Model
221(2)
12.3 The Clark-Wilson Model
223(2)
12.4 The Harrison-Ruzzo-Ullman Model
225(3)
12.5 Information-Flow Models
228(2)
12.5.1 Entropy and Equivocation
228(1)
12.5.2 A Lattice-Based Model
229(1)
12.6 Execution Monitors
230(2)
12.6.1 Properties of Executions
231(1)
12.6.2 Safety and Liveness
232(1)
12.7 Further Reading
232(1)
12.8 Exercises
233(2)
Chapter 13 Security Evaluation
235(16)
13.1 Introduction
236(3)
13.2 The Organge Book
239(2)
13.3 The Rainbow Series
241(1)
13.4 Information Technology Security Evaluation Criteria
242(1)
13.5 The Federal Criteria
243(1)
13.6 The Common Criteria
243(3)
13.6.1 Protection Profiles
244(1)
13.6.2 Evaluation Assurance Levels
245(1)
13.6.3 Evaluation Methodology
246(1)
13.6.4 Re-evaluation
246(1)
13.7 Quality Standards
246(1)
13.8 An Effort Well Spent?
247(1)
13.9 Summary
248(1)
13.10 Further Reading
248(1)
13.11 Exercises
249(2)
Chapter 14 Cryptography
251(24)
14.1 Introduction
252(4)
14.1.1 The Old Paradigm
252(1)
14.1.2 New Paradigms
253(1)
14.1.3 Cryptographic Keys
254(1)
14.1.4 Cryptography in Computer Security
255(1)
14.2 Modular Arithmetic
256(1)
14.3 Integrity Check Functions
257(3)
14.3.1 Collisions and the Birthday Paradox
257(1)
14.3.2 Manipulation Detection Codes
257(2)
14.3.3 Message Authentication Codes
259(1)
14.3.4 Cryptographic Hash Functions
259(1)
14.4 Digital Signatures
260(4)
14.4.1 One-Time Signatures
261(1)
14.4.2 ElGamal Signatures and DSA
261(2)
14.4.3 RSA Signatures
263(1)
14.5 Encryption
264(6)
14.5.1 Data Encryption Standard
265(1)
14.5.2 Block Cipher Modes
266(2)
14.5.3 RSA Encryption
268(1)
14.5.4 ElGamal Encryption
269(1)
14.6 Strength of Mechanisms
270(1)
14.7 Performance
271(1)
14.8 Further Reading
272(1)
14.9 Exercises
273(2)
Chapter 15 Key Establishment
275(22)
15.1 Introduction
276(1)
15.2 Key Establishment and Authentication
276(3)
15.2.1 Remote Authentication
277(1)
15.2.2 Key Establishment
278(1)
15.3 Key Establishment Protocols
279(4)
15.3.1 Authenticated Key Exchange Protocol
279(1)
15.3.2 The Diffie-Hellman Protocol
280(1)
15.3.3 Needham-Schroeder Protocol
281(1)
15.3.4 Password-Based Protocols
282(1)
15.4 Kerberos
283(5)
15.4.1 Realms
285(1)
15.4.2 Kerberos and Windows
286(1)
15.4.3 Delegation
286(1)
15.4.4 Revocation
287(1)
15.4.5 Summary
287(1)
15.5 Public-Key Infrastructures
288(5)
15.5.1 Certificates
288(1)
15.5.2 Certificates Authorities
289(1)
15.5.3 X.509/PKIX Certificates
289(2)
15.5.4 Certificate Chains
291(1)
15.5.5 Revocation
292(1)
15.5.6 Electronic Signatures
292(1)
15.6 Trusted Computing-Attestation
293(2)
15.7 Further Reading
295(1)
15.8 Exercises
295(2)
Chapter 16 Communications Security
297(22)
16.1 Introduction
298(1)
16.1.1 Threat Model
298(1)
16.1.2 Secure Tunnels
299(1)
16.2 Protocol Design Principles
299(2)
16.3 IP Security
301(7)
16.3.1 Authentication Header
302(1)
16.3.2 Encapsulating Security Payloads
302(2)
16.3.3 Security Associations
304(1)
16.3.4 Internet Key Exchange Protocol
304(2)
16.3.5 Denial of Service
306(1)
16.3.6 IPsec Policies
307(1)
16.3.7 Summary
308(1)
16.4 IPsec and Network Address Translation
308(2)
16.5 SSL/TLS
310(4)
16.5.1 Implementation Issues
312(1)
16.5.2 Summary
313(1)
16.6 Extensible Authentication Protocol
314(2)
16.7 Further Reading
316(1)
16.8 Exercises
316(3)
Chapter 17 Network Security
319(20)
17.1 Introduction
320(2)
17.1.1 Threat Model
320(1)
17.1.2 TCP Session Hijacking
321(1)
17.1.3 TCP SYN Flooding Attacks
322(1)
17.2 Domain Name System
322(6)
17.2.1 Lightweight Authentication
324(1)
17.2.2 Cache Poisoning Attack
324(1)
17.2.3 Additional Resource Records
324(1)
17.2.4 Dan Kaminsky's Attack
325(1)
17.2.5 DNSSec
326(1)
17.2.6 DNS Rebinding Attack
327(1)
17.3 Firewalls
328(4)
17.3.1 Packet Filters
329(1)
17.3.2 Stateful Packet Filters
330(1)
17.3.3 Circuit-Level Proxies
330(1)
17.3.4 Application-Level Proxies
330(1)
17.3.5 Firewall Policies
331(1)
17.3.6 Perimeter Networks
331(1)
17.3.7 Limitations and Problems
331(1)
17.4 Intrusion Detection
332(3)
17.4.1 Vulnerability Assessment
333(1)
17.4.2 Misuse Detection
333(1)
17.4.3 Anomaly Detection
334(1)
17.4.4 Network-Based IDS
334(1)
17.4.5 Host-Based IDS
334(1)
17.4.6 Honeypots
335(1)
17.5 Further Reading
335(1)
17.6 Exercises
336(3)
Chapter 18 Web Security
339(24)
18.1 Introduction
340(2)
18.1.1 Transport Protocol and Data Formats
340(1)
18.1.2 Web Browser
341(1)
18.1.3 Threat Model
342(1)
18.2 Authenticated Sessions
342(4)
18.2.1 Cookie Poisoning
343(1)
18.2.2 Cookies and Privacy
343(1)
18.2.3 Making Ends Meet
344(2)
18.3 Code Origin Policies
346(1)
18.3.1 HTTP Referer
347(1)
18.4 Cross-Site Scripting
347(3)
18.4.1 Cookie Stealing
349(1)
18.4.2 Defending against XSS
349(1)
18.5 Cross-Site Request Forgery
350(2)
18.5.1 Authentication for Credit
351(1)
18.6 JavaScript Hijacking
352(2)
18.6.1 Outlook
354(1)
18.7 Web Services Security
354(6)
18.7.1 XML Digital Signatures
355(2)
18.7.2 Federated Identity Management
357(2)
18.7.3 XACML
359(1)
18.8 Further Reading
360(1)
18.9 Exercises
361(2)
Chapter 19 Mobility
363(22)
19.1 Introduction
364(1)
19.2 GSM
364(5)
19.2.1 Components
365(1)
19.2.2 Temporary Mobile Subscriber Identity
365(1)
19.2.3 Cryptographic Algorithms
366(1)
19.2.4 Subscriber Identity Authentication
366(1)
19.2.5 Encryption
367(1)
19.2.6 Location-Based Services
368(1)
19.2.7 Summary
368(1)
19.3 UMTS
369(3)
19.3.1 False Base Station Attacks
369(1)
19.3.2 Cryptographic Algorithms
370(1)
19.3.3 UMTS Authentication and Key Agreement
370(2)
19.4 Mobile IPv6 Security
372(5)
19.4.1 Mobile IPv6
373(1)
19.4.2 Secure Binding Updates
373(2)
19.4.3 Ownership of Addresses
375(2)
19.5 WLAN
377(4)
19.5.1 WEP
378(1)
19.5.2 WPA
379(2)
19.5.3 IEEE 802.11i-WPA2
381(1)
19.6 Bluetooth
381(2)
19.7 Further Reading
383(1)
19.8 Exercises
383(2)
Chapter 20 New Access Control paradigms
385(24)
20.1 Introduction
386(2)
20.1.1 Paradigm Shifts in Access Control
386(1)
20.1.2 Revised Terminology for Access Control
387(1)
20.2 SPKI
388(2)
20.3 Trust Management
390(1)
20.4 Code-Based Access Control
391(4)
20.4.1 Stack Inspection
393(1)
20.4.2 History-Based Access Control
394(1)
20.5 Java Security
395(5)
20.5.1 The Execution Model
396(1)
20.5.2 The Java 1 Security Model
396(1)
20.5.3 The Java 2 Security Model
397(1)
20.5.4 Byte Code Verifier
397(1)
20.5.5 Class Loaders
398(1)
20.5.6 Policies
399(1)
20.5.7 Security Manager
399(1)
20.5.8 Summary
400(1)
20.6 .NET Security Framework
400(5)
20.6.1 Common Language Runtime
400(1)
20.6.2 Code-Identity-Based Security
401(1)
20.6.3 Evidence
401(1)
20.6.4 Strong Names
402(1)
20.6.5 Permissions
403(1)
20.6.6 Security Policies
403(1)
20.6.7 Stack Walk
404(1)
20.6.8 Summary
405(1)
20.7 Digital Rights Management
405(1)
20.8 Further Reading
406(1)
20.9 Exercises
406(3)
Bibliography 409(14)
Index 423
Dieter Gollmann, Technical University of Hamburg-Harburg.