Analyzing Computer Security: A Threat / Vulnerability / Countermeasure Approach / Edition 1

Hardcover (Print)
Rent
Rent from BN.com
$42.12
(Save 63%)
Est. Return Date: 10/26/2014
Buy New
Buy New from BN.com
$104.85
Used and New from Other Sellers
Used and New from Other Sellers
from $84.15
Usually ships in 1-2 business days
(Save 26%)
Other sellers (Hardcover)
  • All (22) from $84.15   
  • New (15) from $94.68   
  • Used (7) from $84.05   

Overview

“In this book, the authors adopt a refreshingly new approach to explaining the intricacies of the security and privacy challenge that is particularly well suited to today’s cybersecurity challenges. Their use of the threat–vulnerability–countermeasure paradigm combined with extensive real-world examples throughout results in a very effective learning methodology.”

—Charles C. Palmer, IBM Research

The Modern Introduction to Computer Security: Understand Threats, Identify Their Causes, and Implement Effective Countermeasures

Analyzing Computer Security is a fresh, modern, and relevant introduction to computer security. Organized around today’s key attacks, vulnerabilities, and countermeasures, it helps you think critically and creatively about computer security—so you can prevent serious problems and mitigate the effects of those that still occur.

In this new book, renowned security and software engineering experts Charles P. Pfleeger and Shari Lawrence Pfleeger—authors of the classic Security in Computing—teach security the way modern security professionals approach it: by identifying the people or things that may cause harm, uncovering weaknesses that can be exploited, and choosing and applying the right protections. With this approach, not only will you study cases of attacks that have occurred, but you will also learn to apply this methodology to new situations.

The book covers “hot button” issues, such as authentication failures, network interception, and denial of service. You also gain new insight into broader themes, including risk analysis, usability, trust, privacy, ethics, and forensics. One step at a time, the book systematically helps you develop the problem-solving skills needed to protect any information infrastructure.

Coverage includes

  • Understanding threats, vulnerabilities, and countermeasures
  • Knowing when security is useful, and when it’s useless “security theater”
  • Implementing effective identification and authentication systems
  • Using modern cryptography and overcoming weaknesses in cryptographic systems
  • Protecting against malicious code: viruses, Trojans, worms, rootkits, keyloggers, and more
  • Understanding, preventing, and mitigating DOS and DDOS attacks
  • Architecting more secure wired and wireless networks
  • Building more secure application software and operating systems through more solid designs and layered protection
  • Protecting identities and enforcing privacy
  • Addressing computer threats in critical areas such as cloud computing, e-voting, cyberwarfare, and social media
Read More Show Less

Editorial Reviews

From the Publisher

“This is a must-read book for any budding Security Architect and also makes a great professional reference. I’d recommend this book to any IT architect or specialist wishing to enter the field of security architectures, as well as to anyone who already has that title and wants a good quality reference book.”-John Hughes, InfoSec Reviews

Read More Show Less

Product Details

  • ISBN-13: 9780132789462
  • Publisher: Prentice Hall
  • Publication date: 9/8/2011
  • Edition description: New Edition
  • Edition number: 1
  • Pages: 848
  • Sales rank: 450,771
  • Product dimensions: 7.30 (w) x 9.20 (h) x 1.30 (d)

Meet the Author

Dr. Charles P. Pfleeger, an independent computer and information security consultant, provides threat/vulnerability analysis, design review, training, expert testimony, and security advice to clients worldwide. He was master security architect at Cable and Wireless and Exodus Communications, and professor of computer science at the University of Tennessee. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.

Dr. Shari Lawrence Pfleeger is Director of Research for the Institute for Information Infrastructure Protection at Dartmouth College, a consortium working to protect the U.S. cyber infrastructure. The Journal of Systems and Software has repeatedly named her one of the world’s top software engineering researchers. Dr. Pfleeger is coauthor of Security in Computing, Fourth Edition (Prentice Hall, 2007), today’s leading college computer security textbook.

Read More Show Less

Table of Contents

Foreword xxiii

Preface xxvii

About the Authors xxxv

Chapter 1: Security Blanket or Security Theater? 2

How Dependent Are We on Computers? 6

What Is Computer Security? 8

Threats 11

Harm 24

Vulnerabilities 30

Controls 30

Analyzing Security With Examples 33

Conclusion 34

Exercises 35

Chapter 2: Knock, Knock. Who’s There? 38

Attack: Impersonation 39

Attack Details: Failed Authentication 40

Vulnerability: Faulty or Incomplete Authentication 41

Countermeasure: Strong Authentication 47

Conclusion 64

Recurring Thread: Privacy 67

Recurring Thread: Usability 69

Exercises 71

Chapter 3: 2 + 2 = 5 72

Attack: Program Flaw in Spacecraft Software 74

Threat: Program Flaw Leads to Security Failing 75

Vulnerability: Incomplete Mediation 77

Vulnerability: Race Condition 79

Vulnerability: Time-of-Check to Time-of-Use 82

Vulnerability: Undocumented Access Point 84

Ineffective Countermeasure: Penetrate-and-Patch 85

Countermeasure: Identifying and Classifying Faults 86

Countermeasure: Secure Software Design Elements 90

Countermeasure: Secure Software Development Process 97

Good Design 103

Countermeasure: Testing 114

Countermeasure: Defensive Programming 122

Conclusion 123

Recurring Thread: Legal—Redress for Software Failures 125

Exercises 128

Chapter 4: A Horse of a Different Color 130

Attack: Malicious Code 131

Threat: Malware—Virus, Trojan Horse, and Worm 132

Technical Details: Malicious Code 138

Vulnerability: Voluntary Introduction 155

Vulnerability: Unlimited Privilege 157

Vulnerability: Stealthy Behavior—Hard to Detect and Characterize 157

Countermeasure: Hygiene 158

Countermeasure: Detection Tools 159

Countermeasure: Error Detecting and Error Correcting Codes 166

Countermeasure: Memory Separation 170

Countermeasure: Basic Security Principles 171

Recurring Thread: Legal—Computer Crime 172

Conclusion 177

Exercises 178

Chapter 5: The Keys to the Kingdom 180

Attack: Keylogging 181

Threat: Illicit Data Access 182

Attack Details 182

Harm: Data and Reputation 186

Vulnerability: Physical Access 186

Vulnerability: Misplaced Trust 187

Vulnerability: Insiders 189

Vulnerability: System Subversion 191

Recurring Thread: Forensics—Tracing Data Flow 193

Vulnerability: Weak Authentication 194

Failed Countermeasure: Security through Obscurity 194

Countermeasure: Physical Access Control 196

Countermeasure: Strong Authentication 198

Countermeasure: Trust/Least Privilege 202

Conclusion 204

Recurring Thread: Forensics—Plug-and-Play Devices 205

Exercises 207

Interlude A: Cloud Computing 210

What Is Cloud Computing? 211

What Are the Risks in the Cloud? 213

Chapter 6: My Cup Runneth Over 216

Attack: What Did You Say That Number Was? 217

Harm: Destruction of Code and Data 218

Vulnerability: Off-by-One Error 230

Vulnerability: Integer Overflow 231

Vulnerability: Unterminated Null-Terminated String 232

Vulnerability: Parameter Length and Number 233

Vulnerability: Unsafe Utility Programs 234

Attack: Important Overflow Exploitation Examples 234

Countermeasure: Programmer Bounds Checking 244

Countermeasure: Programming Language Support 244

Countermeasure: Stack Protection/Tamper Detection 247

Countermeasure: Hardware Protection of Executable Space 249

Countermeasure: General Access Control 261

Conclusion 272

Exercises 274

Chapter 7: He Who Steals My Purse . . . 276

Attack: Veterans’ Administration Laptop Stolen 277

Threat: Loss of Data 278

Extended Threat: Disaster 278

Vulnerability: Physical Access 279

Vulnerability: Unprotected Availability of Data 279

Vulnerability: Unprotected Confidentiality of Data 279

Countermeasure: Policy 280

Countermeasure: Physical Security 280

Countermeasure: Data Redundancy (Backup) 282

Countermeasure: Encryption 286

Countermeasure: Disk Encryption 325

Conclusion 326

Exercises 329

Chapter 8: The Root of All Evil 332

Background: Operating System Structure 333

Attack: Phone Rootkit 337

Attack Details: What Is a Rootkit? 338

Vulnerability: Software Complexity 347

Vulnerability: Difficulty of Detection and Eradication 347

Countermeasure: Simplicity of Design 348

Countermeasure: Trusted Systems 353

Conclusion 364

Exercises 365

Chapter 9: Scanning the Horizon 368

Attack: Investigation, Intrusion, and Compromise 369

Threat: Port Scan 370

Attack Details 371

Harm: Knowledge and Exposure 374

Recurring Thread: Legal—Are Port Scans Legal? 375

Vulnerability: Revealing Too Much 376

Vulnerability: Allowing Internal Access 376

Countermeasure: System Architecture 377

Countermeasure: Firewall 378

Countermeasure: Network Address Translation (NAT) 397

Countermeasure: Security Perimeter 399

Conclusion 400

Exercises 402

Chapter 10: Do You Hear What I Hear? 404

Attack: Wireless (WiFi) Network Access 405

Harm: Confidentiality–Integrity–Availability 412

Attack: Unauthorized Access 414

Vulnerability: Protocol Weaknesses 414

Failed Countermeasure: WEP 418

Stronger but Not Perfect Countermeasure: WPA and WPA2 422

Conclusion 426

Recurring Thread: Privacy—Privacy-Preserving Design 427

Exercises 429

Chapter 11: I Hear You Loud and Clear 432

Attack: Enemies Watch Predator Video 433

Attack Details 434

Threat: Interception 437

Vulnerability: Wiretapping 441

Countermeasure: Encryption 448

Countermeasure: Virtual Private Networks 452

Countermeasure: Cryptographic Key Management Regime 456

Countermeasure: Asymmetric Cryptography 459

Countermeasure: Kerberos 464

Conclusion 468

Recurring Thread: Ethics—Monitoring Users 471

Exercises 472

Interlude B: Electronic Voting 474

What Is Electronic Voting? 475

What Is a Fair Election? 477

What Are the Critical Issues? 477

Chapter 12: Disregard That Man Behind the Curtain 482

Attack: Radar Sees Only Blue Skies 483

Threat: Man in the Middle 484

Threat: “In-the-Middle” Activity 487

Vulnerability: Unwarranted Trust 498

Vulnerability: Failed Identification and Authentication 499

Vulnerability: Unauthorized Access 501

Vulnerability: Inadequate Attention to Program Details 501

Vulnerability: Protocol Weakness 502

Countermeasure: Trust 503

Countermeasure: Identification and Authentication 503

Countermeasure: Cryptography 506

Related Attack: Covert Channel 508

Related Attack: Steganography 517

Conclusion 519

Exercises 520

Chapter 13: Not All Is as It Seems 524

Attacks: Forgeries 525

Threat: Integrity Failure 530

Attack Details 530

Vulnerability: Protocol Weaknesses 542

Vulnerability: Code Flaws 543

Vulnerability: Humans 543

Countermeasure: Digital Signature 545

Countermeasure: Secure Protocols 566

Countermeasure: Access Control 566

Countermeasure: User Education 568

Possible Countermeasure: Analysis 569

Non-Countermeasure: Software Goodness Checker 571

Conclusion 572

Exercises 574

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay 576

Attack: Cloned RFIDs 577

Threat: Replay Attacks 578

Vulnerability: Reuse of Session Data 580

Countermeasure: Unrepeatable Protocol 580

Countermeasure: Cryptography 583

Conclusion: Replay Attacks 584

Similar Attack: Session Hijack 584

Vulnerability: Electronic Impersonation 588

Vulnerability: Nonsecret Token 588

Countermeasure: Encryption 589

Countermeasure: IPsec 593

Countermeasure: Design 596

Conclusion 597

Exercises 598

Chapter 15: I Can’t Get No Satisfaction 600

Attack: Massive Estonian Web Failure 601

Threat: Denial of Service 602

Threat: Flooding 602

Threat: Blocked Access 603

Threat: Access Failure 604

Case: Beth Israel Deaconess Hospital Systems Down 605

Vulnerability: Insufficient Resources 606

Vulnerability: Addressee Cannot Be Found 611

Vulnerability: Exploitation of Known Vulnerability 613

Vulnerability: Physical Disconnection 613

Countermeasure: Network Monitoring and Administration 614

Countermeasure: Intrusion Detection and Prevention Systems 618

Countermeasure: Management 630

Conclusion: Denial of Service 633

Extended Attack: E Pluribus Contra Unum 635

Technical Details 638

Recurring Thread: Legal—DDoS Crime Does Not Pay 643

Vulnerability: Previously Described Attacks 643

Countermeasures: Preventing Bot Conscription 645

Countermeasures: Handling an Attack Under Way 647

Conclusion: Distributed Denial of Service 648

Exercises 649

Interlude C: Cyber Warfare 652

What Is Cyber Warfare? 653

Examples of Cyber Warfare 654

Critical Issues 656

Chapter 16: ’Twas Brillig, and the Slithy Toves . . . 662

Attack: Grade Inflation 663

Threat: Data Corruption 664

Countermeasure: Codes 667

Countermeasure: Protocols 668

Countermeasure: Procedures 669

Countermeasure: Cryptography 670

Conclusion 673

Exercises 674

Chapter 17: Peering through the Window 676

Attack: Sharing Too Much 677

Attack Details: Characteristics of Peer-to-Peer Networks 677

Threat: Inappropriate Data Disclosure 680

Threat: Introduction of Malicious Software 681

Threat: Exposure to Unauthorized Access 682

Vulnerability: User Failure to Employ Access Controls 683

Vulnerability: Unsafe User Interface 683

Vulnerability: Malicious Downloaded Software 684

Countermeasure: User Education 685

Countermeasure: Secure-by-Default Software 685

Countermeasure: Legal Action 686

Countermeasure: Outbound Firewall or Guard 688

Conclusion 689

Recurring Thread: Legal—Protecting Computer Objects 691

Exercises 704

Chapter 18: My 100,000 Nearest and Dearest Friends 706

Attack: I See U 707

Threat: Loss of Confidentiality 708

Threat: Data Leakage 709

Threat: Introduction of Malicious Code 710

Attack Details: Unintended Disclosure 711

Vulnerability: Exploiting Trust Relationships 721

Vulnerability: Analysis on Data 722

Vulnerability: Hidden Data Attributes 722

Countermeasure: Data Suppression and Modification 724

Countermeasure: User Awareness and Education 729

Countermeasure: Policy 733

Conclusion 734

Exercises 736

Afterword 738

Challenges Facing Us 739

Critical Issues 741

Moving Forward: Suggested Next Steps for Improving Computer Security 742

And Now for Something a Little Different 746

Bibliography 749

Index 773

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Posted December 19, 2012

    Solid security reference and solutions guide

    A core value of this publication is the Threat-Vulnerability-Countermeasure paradigm the authors adopted in exploring a wide range of computer security challenges: threats as the potential for harm from multiple sources, vulnerability as an identifiable system weakness, and countermeasure or control as means of defense and protection. When combined with numerous encyclopedic explanations, this makes it a solid security reference and solutions guide. Given the multiple intended audiences for this book (students, computing professionals, and end-users) the exercises at the end of each chapter are an expected standard fare. But for those readers in a deep dive mode, they facilitate not only a means of review but also a mechanism for a further exploration of covered topics. Chapter titles are humorous, euphemistic at times, drawing and engaging the reader into the real security story behind them. References to recent high-profile cyber events and several interludes (mini-chapters) on Cyber Warfare, Electronic Voting, and Cloud Computing are a welcome addition to this already solid computing security reference. I am keeping it close by, within reach.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)