This third edition of the all time classic computer security book provides an overview of all types of computer security from centralized systems to distributed networks. The book has been updated to make the most current information in the field available and accessible to today's professionals.
Charles P. Pfleeger is a Master Security Architect for Cable & Wireless Shari Lawrence Pfleeger, senior researcher for RAND
Table of Contents
Foreword. Preface to the Third Edition. 1. Is There a Security Problem in Computing?
What Does “Secure” Mean? Attacks. The Meaning of Computer Security. Computer Criminals. Methods of Defense. What's Next. Summary. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
2. Elementary Cryptography.
Terminology and Background. Substitution Ciphers. Transposition (Permutations). Making “Good” Encryption Algorithms. The Data Encryption Standard (DES). The AES Encryption Algorithm. Public Key Encryption. The Uses of Encryption. Summary of Encryption. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
3. Program Security.
Secure Programs. Nonmalicious Program Errors. Viruses and Other Malicious Code. Targeted Malicious Code. Controls Against Program Threats. Summary of Program Threats and Controls. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
4. Protection in General-Purpose Operating Systems.
Protected Objects and Methods of Protection. Memory and Address Protection. Control of Access to General Objects. File Protection Mechanisms. User Authentication. Summary of Security for Users. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
5.Designing Trusted Operating Systems.
What Is a Trusted System? Security Policies. Models of Security. Trusted Operating System Design. Assurance in Trusted Operating Systems. Implementation Examples. Summary of Security in Operating Systems. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
6. Database Security.
Introduction to Databases. Security Requirements. Reliability and Integrity. Sensitive Data. Inference. Multilevel Databases. Proposals for Multilevel Security. Summary of Database Security. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
7. Security in Networks.
Network Concepts. Threats in Networks. Network Security Controls. Firewalls. Intrusion Detection Systems. Secure E-Mail. Summary of Network Security. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
8. Administering Security.
Security Planning. Risk Analysis. Organizational Security Policies. Physical Security. Summary. Terms and Concepts. To Learn More. Exercises.
9. Legal, Privacy, and Ethical Issues in Computer Security.
Protecting Programs and Data. Information and the Law. Rights of Employees and Employers. Software Failures. Computer Crime. Privacy. Ethical Issues in Computer Security. Case Studies of Ethics. Case I: Use of Computer Services. Case II: Privacy Rights. Case III: Denial of Service. Case IV: Ownership of Programs. Case V: Proprietary Resources. Case VI: Fraud. Case VII: Accuracy of Information. Case VIII: Ethics of Hacking or Cracking. Codes of Ethics. Conclusion of Computer Ethics. Terms and Concepts. To Learn More. Exercises.
10. Cryptography Explained.
Mathematics for Cryptography. Symmetric Encryption. Public Key Encryption Systems. Quantum Cryptography. Summary of Encryption. Terms and Concepts. Where the Field Is Headed. To Learn More. Exercises.
Preface to the Third Edition Every day, the news media give more and more visibility to the effects of computer security on our daily lives. For example, on a single day in June 2002, the Washington Post included three important articles about security. On the front page, one article described the possibility that a terrorist group was plotting toand actually couldinvade computer systems and destroy huge dams, disable the power grid, or wreak havoc with the air traffic control system. A second article, also on the front page, considered the potential loss of personal privacy as governments and commercial establishments begin to combine and correlate data in computer-maintained databases. Further back, a third article discussed yet another software flaw that could have widespread effect. Thus, computer security is no longer relegated to esoteric discussions of what might happen; it is instead a hot news topic, prominently featured in newspapers, magazines, radio talk shows, and documentary television programs. The audience is no longer just the technical community; it is ordinary people, who feel the effects of pervasive computing. In just a few years the world's public has learned the terms "virus," "worm," and "Trojan horse" and now appreciates the concepts of "unauthorized access," "sabotage," and "denial of service." During this same time, the number of computer users has increased dramatically; with those new users have come new uses: electronic stock trading, sharing of medical records, and remote control of sensitive equipment, to name just three. It should be no surprise that threats to security in computing have increased along with the users and uses. Why Read This Book? Are your data or programs at risk? If you answer "yes" to any of the following questions, you have a potential security risk. Do you connect to the Internet? Do you read e-mail? Have you gotten any new programsor any new versions of old programswithin, say, the last year? Is there any important program or data item of which you do not have a second copy stored somewhere other than on your computer? Almost every computer user today meets at least one of these conditions, and so you, and almost every other computer user, are at risk of some harmful computer security event. Risk does not mean you should stop using computers. You are at risk of being hit by a falling meteorite or of being robbed by a thief on the street, but you do not hide in a fortified underground bunker all day. You learn what puts you at risk and how to control it. Controlling a risk is not the same as eliminating it; you simply want to bring it to a tolerable level. How do you control the risk of computer security? Learn about the threats to computer security. Understand what causes these threats by studying how vulnerabilities arise in the development and use of computer systems. Survey the controls that can reduce or block these threats. Develop a computing styleas a user, developer, manager, consumer, and voterthat balances security and risk. Users and Uses of This Book This book is intended for the study of computer security. Many of you want to study this topic: college and university students, computing professionals, managers, and users of all kinds of computer-based systems. All want to know the same thing: how to control the risk of computer security. But you may differ in how much information you need about particular topics: Some want a broad survey, whereas others want to focus on particular topics, such as networks or program development. This book should provide the breadth and depth that most readers want. The book is organized by general area of computing, so that readers with particular interests can find information easily. The chapters of this book pr