Security in Computing
The Art of Computer and Information Security: From Apps and Networks to Cloud and Crypto

Security in Computing, Sixth Edition, is today's essential text for anyone teaching, learning, and practicing cybersecurity. It defines core principles underlying modern security policies, processes, and protection; illustrates them with up-to-date examples; and shows how to apply them in practice. Modular and flexibly organized, this book supports a wide array of courses, strengthens professionals' knowledge of foundational principles, and imparts a more expansive understanding of modern security.

This extensively updated edition adds or expands coverage of artificial intelligence and machine learning tools; app and browser security; security by design; securing cloud, IoT, and embedded systems; privacy-enhancing technologies; protecting vulnerable individuals and groups; strengthening security culture; cryptocurrencies and blockchain; cyberwarfare; post-quantum computing; and more. It contains many new diagrams, exercises, sidebars, and examples, and is suitable for use with two leading frameworks: the US NIST National Initiative for Cybersecurity Education (NICE) and the UK Cyber Security Body of Knowledge (CyBOK).

  • Core security concepts: Assets, threats, vulnerabilities, controls, confidentiality, integrity, availability, attackers, and attack types
  • The security practitioner's toolbox: Identification and authentication, access control, and cryptography
  • Areas of practice: Securing programs, user–internet interaction, operating systems, networks, data, databases, and cloud computing
  • Cross-cutting disciplines: Privacy, management, law, and ethics
  • Using cryptography: Formal and mathematical underpinnings, and applications of cryptography
  • Emerging topics and risks: AI and adaptive cybersecurity, blockchains and cryptocurrencies, cyberwarfare, and quantum computing

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

1116752603
Security in Computing
The Art of Computer and Information Security: From Apps and Networks to Cloud and Crypto

Security in Computing, Sixth Edition, is today's essential text for anyone teaching, learning, and practicing cybersecurity. It defines core principles underlying modern security policies, processes, and protection; illustrates them with up-to-date examples; and shows how to apply them in practice. Modular and flexibly organized, this book supports a wide array of courses, strengthens professionals' knowledge of foundational principles, and imparts a more expansive understanding of modern security.

This extensively updated edition adds or expands coverage of artificial intelligence and machine learning tools; app and browser security; security by design; securing cloud, IoT, and embedded systems; privacy-enhancing technologies; protecting vulnerable individuals and groups; strengthening security culture; cryptocurrencies and blockchain; cyberwarfare; post-quantum computing; and more. It contains many new diagrams, exercises, sidebars, and examples, and is suitable for use with two leading frameworks: the US NIST National Initiative for Cybersecurity Education (NICE) and the UK Cyber Security Body of Knowledge (CyBOK).

  • Core security concepts: Assets, threats, vulnerabilities, controls, confidentiality, integrity, availability, attackers, and attack types
  • The security practitioner's toolbox: Identification and authentication, access control, and cryptography
  • Areas of practice: Securing programs, user–internet interaction, operating systems, networks, data, databases, and cloud computing
  • Cross-cutting disciplines: Privacy, management, law, and ethics
  • Using cryptography: Formal and mathematical underpinnings, and applications of cryptography
  • Emerging topics and risks: AI and adaptive cybersecurity, blockchains and cryptocurrencies, cyberwarfare, and quantum computing

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

159.6 In Stock
Security in Computing

Security in Computing

Security in Computing

Security in Computing

Overview

The Art of Computer and Information Security: From Apps and Networks to Cloud and Crypto

Security in Computing, Sixth Edition, is today's essential text for anyone teaching, learning, and practicing cybersecurity. It defines core principles underlying modern security policies, processes, and protection; illustrates them with up-to-date examples; and shows how to apply them in practice. Modular and flexibly organized, this book supports a wide array of courses, strengthens professionals' knowledge of foundational principles, and imparts a more expansive understanding of modern security.

This extensively updated edition adds or expands coverage of artificial intelligence and machine learning tools; app and browser security; security by design; securing cloud, IoT, and embedded systems; privacy-enhancing technologies; protecting vulnerable individuals and groups; strengthening security culture; cryptocurrencies and blockchain; cyberwarfare; post-quantum computing; and more. It contains many new diagrams, exercises, sidebars, and examples, and is suitable for use with two leading frameworks: the US NIST National Initiative for Cybersecurity Education (NICE) and the UK Cyber Security Body of Knowledge (CyBOK).

  • Core security concepts: Assets, threats, vulnerabilities, controls, confidentiality, integrity, availability, attackers, and attack types
  • The security practitioner's toolbox: Identification and authentication, access control, and cryptography
  • Areas of practice: Securing programs, user–internet interaction, operating systems, networks, data, databases, and cloud computing
  • Cross-cutting disciplines: Privacy, management, law, and ethics
  • Using cryptography: Formal and mathematical underpinnings, and applications of cryptography
  • Emerging topics and risks: AI and adaptive cybersecurity, blockchains and cryptocurrencies, cyberwarfare, and quantum computing

Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Product Details

ISBN-13: 9780137891214
Publisher: Pearson Education
Publication date: 08/05/2023
Pages: 1040
Product dimensions: 7.00(w) x 9.13(h) x 1.50(d)

About the Author

Charles P. Pfleeger is an internationally known expert on computer and communications security. He spent 14 years as professor of computer science at the University of Tennessee, before moving on to computer research and consulting company, Trusted Information Systems, where he was director of European operations and senior consultant. He was also director of research, member of the staff, and chief security officer at Cable and Wireless. He has chaired the IEEE Computer Society Technical Committee on Security and Privacy and was on the editorial board of IEEE Security & Privacy magazine.

Shari Lawrence Pfleeger is a widely known software engineering and computer security researcher. She served as president of Systems/Software and then as senior researcher with the Rand Corporation. As research director of the Institute for Information Infrastructure Protection, she oversaw large, high-impact computer security research projects for international government and industry clients. She has served as associate editor in chief of IEEE Software magazine, and as editor in chief of IEEE Security & Privacy magazine.

Lizzie Coles-Kemp is a professor of information security at the Information Security Group, Royal Holloway University of London (RHUL). Prior to joining RHUL in 2007, Lizzie work in security practice for 17 years and held several managerial and directorship roles. During this time, she worked on the design and implementation of software access control systems, taught network security to practitioners, worked as a lead assessor in security standards for a UK certification body, and was global security officer for the British Council (a UK NGO).

Read an Excerpt

Every day, the news media give more and more visibility to the effects of computer security on our daily lives. For example, on a single day in June 2006, the Washington Post included three important articles about security. On the front page, one article discussed the loss of a laptop computer containing personal data on 26.5 million veterans. A second article, on the front page of the business section, described Microsoft's new product suite to combat malicious code, spying, and unsecured vulnerabilities in its operating system. Further back, a third article reported on a major consumer electronics retailer that inadvertently installed software on its customers' computers, making them part of a web of compromised slave computers. The sad fact is that news like this appears almost every day, and has done so for a number of years. There is no end in sight.

Even though the language of computer security—terms such as virus, Trojan horse, phishing, spyware—is common, the application of solutions to computer security problems is uncommon. Moreover, new attacks are clever applications of old problems. The pressure to get a new product or new release to market still in many cases overrides security requirements for careful study of potential vulnerabilities and countermeasures. Finally, many people are in denial, blissfully ignoring the serious harm that insecure computing can cause.

Why Read This Book?

Admit it. You know computing entails serious risks to the privacy and integrity of your data, or the operation of your computer. Risk is a fact of life: Crossing the street is risky, perhaps more so in some places than others, but you still cross the street. As a child you learned to stop and look both ways before crossing. As you became older you learned to gauge the speed of oncoming traffic and determine whether you had the time to cross. At some point you developed a sense of whether an oncoming car would slow down or yield. We hope you never had to practice this, but sometimes you have to decide whether darting into the street without looking is the best means of escaping danger. The point is all these matters depend on knowledge and experience. We want to help you develop the same knowledge and experience with respect to the risks of secure computing.

How do you control the risk of computer security?

  • Learn about the threats to computer security.
  • Understand what causes these threats by studying how vulnerabilities arise in the development and use of computer systems.
  • Survey the controls that can reduce or block these threats.
  • Develop a computing style—as a user, developer, manager, consumer, and voter—that balances security and risk.

The field of computer security changes rapidly, but the underlying problems remain largely unchanged. In this book you will find a progression that shows you how current complex attacks are often instances of more fundamental concepts.

Users and Uses of This Book

This book is intended for the study of computer security. Many of you want to study this topic: college and university students, computing professionals, managers, and users of all kinds of computer-based systems. All want to know the same thing: how to control the risk of computer security. But you may differ in how much information you need about particular topics: Some want a broad survey, while others want to focus on particular topics, such as networks or program development.

This book should provide the breadth and depth that most readers want. The book is organized by general area of computing, so that readers with particular interests can find information easily. The chapters of this book progress in an orderly manner, from general security concerns to the particular needs of specialized applications, and finally to overarching management and legal issues. Thus, the book covers five key areas of interest:

  • introduction: threats, vulnerabilities, and controls
  • encryption: the "Swiss army knife" of security controls
  • code: security in programs, including applications, operating systems, database management systems, and networks
  • management: building and administering a computing installation, from one computer to thousands, and understanding the economics of cybersecurity
  • law, privacy, ethics: non-technical approaches by which society controls computer security risks

These areas are not equal in size; for example, more than half the book is devoted to code because so much of the risk is at least partly caused by program code that executes on computers.

The first chapter introduces the concepts and basic vocabulary of computer security. Studying the second chapter provides an understanding of what encryption is and how it can be used or misused. Just as a driver's manual does not address how to design or build a car, Chapter 2 is not for designers of new encryption schemes, but rather for users of encryption. Chapters 3 through 7 cover successively larger pieces of software: individual programs, operating systems, complex applications like database management systems, and finally networks, which are distributed complex systems. Chapter 8 discusses managing and administering security, and describes how to find an acceptable balance between threats and controls. Chapter 9 addresses an important management issue by exploring the economics of cybersecurity: understanding and communicating the costs and benefits. In Chapter 10 we turn to the personal side of computer security as we consider how security, or its lack, affects personal privacy. Chapter 11 covers the way society at large addresses computer security, through its laws and ethical systems. Finally, Chapter 12 returns to cryptography, this time to look at the details of the encryption algorithms themselves.

Within that organization, you can move about, picking and choosing topics of particular interest. Everyone should read Chapter 1 to build a vocabulary and a foundation. It is wise to read Chapter 2 because cryptography appears in so many different control techniques. Although there is a general progression from small programs to large and complex networks, you can in fact read Chapters 3 through 7 out of sequence or pick topics of greatest interest. Chapters 8 and 9 may be just right for the professional looking for non-technical controls to complement the technical ones of the earlier chapters. These chapters may also be important for the computer science student who wants to look beyond a narrow view of bytes and protocols. We recommend Chapters 10 and 11 for everyone, because those chapters deal with the human aspects of security: privacy, laws, and ethics. All computing is ultimately done to benefit humans, and so we present personal risks and approaches to computing. Chapter 12 is for people who want to understand some of the underlying mathematics and logic of cryptography.

What background should you have to appreciate this book? The only assumption is an understanding of programming and computer systems. Someone who is an advanced undergraduate or graduate student in computer science certainly has that background, as does a professional designer or developer of computer systems. A user who wants to understand more about how programs work can learn from this book, too; we provide the necessary background on concepts of operating systems or networks, for example, before we address the related security concerns.

This book can be used as a textbook in a one- or two-semester course in computer security. The book functions equally well as a reference for a computer professional or as a supplement to an intensive training course. And the index and extensive bibliography make it useful as a handbook to explain significant topics and point to key articles in the literature. The book has been used in classes throughout the world; instructors often design one-semester courses that focus on topics of particular interest to the students or that relate well to the rest of a curriculum.

What Is New In This Book?

This is the fourth edition of Security in Computing, first published in 1989. Since then, the specific threats, vulnerabilities, and controls have changed, even though many of the basic notions have remained the same.

The two changes most obvious to people familiar with the previous editions are the additions of two new chapters, on the economics of cybersecurity and privacy. These two areas are receiving more attention both in the computer security community and in the rest of the user population.

But this revision touched every existing chapter as well. The threats and vulnerabilities of computing systems have not stood still since the previous edition in 2003, and so we present new information on threats and controls of many types. Change include:

  • the shift from individual hackers working for personal reasons to organized attacker groups working for financial gain
  • programming flaws leading to security failures, highlighting man-in-the-middle, timing, and privilege escalation errors
  • recent malicious code attacks, such as false interfaces and keystroke loggers
  • approaches to code quality, including software engineering, testing, and liability approaches
  • rootkits, including ones from unexpected sources
  • web applications' threats and vulnerabilities
  • privacy issues in data mining
  • WiFi network security
  • cryptanalytic attacks on popular algorithms, such as RSA, DES, and SHA, and recommendations for more secure use of these
  • bots, botnets, and drones, making up networks of compromised systems
  • update to the Advanced Encryption System (AES) with experience from its first several years of its use
  • the divide between sound authentication approaches and users' actions
  • biometric authentication capabilities and limitations
  • the conflict between efficient production and use of digital content (e.g., music and videos) and control of piracy

In addition to these major changes, there are numerous small corrective and clarifying ones, ranging from wording and notational changes for pedagogic reasons to replacement, deletion, rearrangement, and expansion of sections.

Table of Contents

Foreword xix
Preface xxv
Acknowledgments xxxi
About the Authors xxxiii

Chapter 1: Introduction 1
1.1 What Is Computer Security? 3
1.2 Threats 6
1.3 Harm 24
1.4 Vulnerabilities 30
1.5 Controls 30
1.6 Conclusion 33
1.7 What's Next? 34
1.8 Exercises 36

Chapter 2: Toolbox: Authentication, Access Control, and Cryptography 38
2.1 Authentication 40
2.2 Access Control 78
2.3 Cryptography 93
2.4 Conclusion 137
2.5 Exercises 138

Chapter 3: Programs and Programming 141
3.1 Unintentional (Nonmalicious) Programming Oversights 143
3.2 Malicious Code—Malware 178
3.3 Countermeasures 211
3.4 Conclusion 245
3.5 Exercises 245

Chapter 4: The Internet—User Side 248
4.1 Browser Attacks 251
4.2 Attacks Targeting Users 265
4.3 Obtaining User or Website Data 280
4.4 Mobile Apps 289
4.5 Email and Message Attacks 310
4.6 Conclusion 320
4.7 Exercises 321

Chapter 5: Operating Systems 323
5.1 Security in Operating Systems 323
5.2 Security in the Design of Operating Systems 351
5.3 Rootkits 371
5.4 Conclusion 382
5.5 Exercises 382

Chapter 6: Networks 385
6.1 Network Concepts 386
Part I—War on Networks: Network Security Attacks 399
6.2 Threats to Network Communications 400
6.3 Wireless Network Security 421
6.4 Denial of Service 443
6.5 Distributed Denial of Service 468
Part II—Strategic Defenses: Security Countermeasures 479
6.6 Cryptography in Network Security 479
6.7 Firewalls 497
6.8 Intrusion Detection and Prevention Systems 522
6.9 Network Management 536
6.10 Conclusion 545
6.11 Exercises 545

Chapter 7: Data and Databases 549
7.1 Introduction to Databases 550
7.2 Security Requirements of Databases 555
7.3 Reliability and Integrity 561
7.4 Database Disclosure 566
7.5 Data Mining and Big Data 585
7.6 Conclusion 599
7.7 Exercises 599

Chapter 8: New Territory 601
8.1 Introduction 601
8.2 Cloud Architectures and Their Security 605
8.3 IoT and Embedded Devices 627
8.4 Cloud, IoT, and Embedded Devices—The Smart Home 638
8.5 Smart Cities, IoT, Embedded Devices, and Cloud 643
8.6 Cloud, IoT, and Critical Services 648
8.7 Conclusion 657
8.8 Exercises 658

Chapter 9: Privacy 659
9.1 Privacy Concepts 660
9.2 Privacy Principles and Policies 671
9.3 Authentication and Privacy 688
9.4 Data Mining 694
9.5 Privacy on the Internet 698
9.6 Email and Message Security 713
9.7 Privacy Impacts of Newer Technologies 717
9.8 Conclusion 724
9.9 Exercises 725

Chapter 10: Management and Incidents 727
10.1 Security Planning 727
10.2 Business Continuity Planning 738
10.3 Handling Incidents 742
10.4 Risk Analysis 749
10.5 Physical Threats to Systems 767
10.6 New Frontiers in Security Management 776
10.7 Conclusion 778
10.8 Exercises 779

Chapter 11: Legal Issues and Ethics 781
11.1 Protecting Programs and Data 783
11.2 Information and the Law 800
11.3 Rights of Employees and Employers 805
11.4 Redress for Software Failures 808
11.5 Computer Crime 814
11.6 Ethical Issues in Computer Security 822
11.7 An Ethical Dive into Artificial Intelligence 828
11.8 Incident Analyses with Ethics 830
11.9 Conclusion 846
11.10 Exercises 847

Chapter 12: Details of Cryptography 850
12.1 Cryptology 851
12.2 Symmetric Encryption Algorithms 863
12.3 Asymmetric Encryption 877
12.4 Message Digests 883
12.5 Digital Signatures 888
12.6 Quantum Key Distribution 889
12.7 Conclusion 894

Chapter 13: Emerging Topics 895
13.1 AI and Cybersecurity 896
13.2 Blockchains and Cryptocurrencies 908
13.3 Offensive Cyber and Cyberwarfare 924
13.4 Quantum Computing and Computer Security 936
13.5 Conclusion 937

Bibliography 939
Index 963

Preface

Preface to the Third Edition

Every day, the news media give more and more visibility to the effects of computer security on our daily lives. For example, on a single day in June 2002, the Washington Post included three important articles about security. On the front page, one article described the possibility that a terrorist group was plotting to—and actually could—invade computer systems and destroy huge dams, disable the power grid, or wreak havoc with the air traffic control system. A second article, also on the front page, considered the potential loss of personal privacy as governments and commercial establishments begin to combine and correlate data in computer-maintained databases. Further back, a third article discussed yet another software flaw that could have widespread effect. Thus, computer security is no longer relegated to esoteric discussions of what might happen; it is instead a hot news topic, prominently featured in newspapers, magazines, radio talk shows, and documentary television programs. The audience is no longer just the technical community; it is ordinary people, who feel the effects of pervasive computing.

In just a few years the world's public has learned the terms "virus," "worm," and "Trojan horse" and now appreciates the concepts of "unauthorized access," "sabotage," and "denial of service." During this same time, the number of computer users has increased dramatically; with those new users have come new uses: electronic stock trading, sharing of medical records, and remote control of sensitive equipment, to name just three. It should be no surprise that threats to security in computing have increased along with the users anduses.

Why Read This Book?

Are your data or programs at risk? If you answer "yes" to any of the following questions, you have a potential security risk.

  • Do you connect to the Internet?
  • Do you read e-mail?
  • Have you gotten any new programs—or any new versions of old programs—within, say, the last year?
  • Is there any important program or data item of which you do not have a second copy stored somewhere other than on your computer?

Almost every computer user today meets at least one of these conditions, and so you, and almost every other computer user, are at risk of some harmful computer security event. Risk does not mean you should stop using computers. You are at risk of being hit by a falling meteorite or of being robbed by a thief on the street, but you do not hide in a fortified underground bunker all day. You learn what puts you at risk and how to control it. Controlling a risk is not the same as eliminating it; you simply want to bring it to a tolerable level.

How do you control the risk of computer security?

  • Learn about the threats to computer security.
  • Understand what causes these threats by studying how vulnerabilities arise in the development and use of computer systems.
  • Survey the controls that can reduce or block these threats.
  • Develop a computing style—as a user, developer, manager, consumer, and voter—that balances security and risk.
Users and Uses of This Book

This book is intended for the study of computer security. Many of you want to study this topic: college and university students, computing professionals, managers, and use computer-based systems. All want to know the same thing: how to control the risk of computer security. But you may differ in how much information you need about particular topics: Some want a broad survey, whereas others want to focus on particular topics, such as networks or program development.

This book should provide the breadth and depth that most readers want. The book is organized by general area of computing, so that readers with particular interests can find information easily. The chapters of this book progress in an orderly manner, from general security concerns to the particular needs of specialized applications, and finally to overarching management and legal issues. Thus, the book covers five key areas of interest:

  • Introduction: threats, vulnerabilities, and controls
  • Encryption: the "Swiss army knife" of security controls
  • Code: security in programs, including applications, operating systems, database management systems, and networks
  • Management: implementing and maintaining a computing style
  • Law, privacy, ethics: nontechnical approaches by which society controls computer security risks

These areas are not equal in size; for example, more than half the book is devoted to code because so much of the risk is at least partly caused by program code that executes on computers.

The first chapter introduces the concepts and basic vocabulary of computer security. The second chapter provides an understanding of what encryption is and how it can be used or misused. Just as a driver's manual does not address how to design or build a car, Chapter 2 is for users of encryption, not designers of new encryp through 7 cover successively larger pieces of software: individual programs, operating systems, complex applications like database management systems, and finally networks, which are distributed complex systems. Chapter 8 discusses managing and administering security, and finding an acceptable balance between threats and controls. Chapter 9 covers the way society at large addresses computer security, through its laws and ethical systems and through its concern for privacy. Finally, Chapter 10 returns to cryptography, this time to look at the details of the encryption algorithms themselves.

Within that organization, you can move about, picking and choosing topics of particular interest. Everyone should read Chapter 1 to build a vocabulary and a foundation. It is wise to read Chapter 2 because cryptography appears in so many different control techniques. Although there is a general progression from small programs to large and complex networks, you can in fact read Chapters 3 through 7 out of sequence or pick topics of greatest interest. Chapters 8 and 9 may be just right for the professional looking for nontechnical controls to complement the technical ones of the earlier chapters. These chapters may also be important for the computer science student who wants to look beyond a narrow view of bytes and protocols. Chapter 10 is for people who want to understand some of the underlying mathematics and logic of cryptography.

What background should you have to appreciate this book? The only assumption is an understanding of programming and computer systems. Someone who is an advanced undergraduate or graduate student in computer science certainly has that background, as does a professional designer or developer of computer systems. A user who wants to understand more about how programs work can learn from this book, too; we provide the necessary background on concepts of operating systems or networks, for example, before we address the related security concerns.

This book can be used as a textbook in a one- or two-semester course in computer security. The book functions equally well as a reference for a computer professional or as a supplement to an intensive training course. And the index and extensive bibliography make it useful as a handbook to explain significant topics and point to key articles in the literature. The book has been used in classes throughout the world; instructors often design one-semester courses that focus on topics of particular interest to students or that relate well to the rest of a curriculum.

What Is New in This Book?This is the third edition of Security in Computing, first published in 1989. Since then, the specific threats, vulnerabilities, and controls have changed, even though many of the basic notions have remained the same.The two changes most obvious to people familiar with the previous editions are networks and encryption. Networking has evolved even since the second edition was published, and there are many new concepts to master, such as distributed denial-of-service attacks or scripted vulnerability probing. As a consequence, the networks chapter is almost entirely new. Previous editions of this book presented encryption details in the same chapter as encryption uses. Although encryption is a fundamental tool in computer security, in this edition the what is presented straightforwardly in Chapter 2, while the how is reserved for the later Chapter 10. This structure lets readers get to the technical uses of encryption in programs and networks more quickly.There are numerous other additions, of which these are the most significant ones:
  • the Advanced Encryption System (AES), the replacement for the Data Encryption System (DES) from the 1970s
  • programming flaws leading to security failures, highlighting buffer overflows, incomplete mediation, and time-of-check to time-of-use errors
  • recent malicious code attacks, such as Code Red
  • software engineering practices to improve program quality
  • assurance of code quality
  • authentication techniques such as biometrics and password generators
  • privacy issues in database management system security
  • mobile code, agents, and assurance of them
  • denial-of-service and distributed denial-of-service attacks
  • flaws in network protocols
  • security issues in wireless computing
  • honeypots and intrusion detection
  • copyright controls for digital media
  • threats to and controls for personal privacy
  • software quality, vulnerability reporting, and vendors' responsibilities
  • the ethics of hacking

In addition to these major changes, there are numerous small corrective and clarifying ones, ranging from wording changes to subtle notational changes for pedagogic reasons to replacement, deletion, rearrangement, and expansion of sections.

From the B&N Reads Blog
Page 1 of

Related Subjects

Computers
Networking & Telecommunications
Security - Computer Networks
Computers
Networking & Telecommunications
Security - Computer Networks

Customer Reviews