elementary information security
TRANSCRIPT
![Page 1: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/1.jpg)
Elementary
Information
Security
JONES &BARTLETT
LEARNING
![Page 2: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/2.jpg)
Contents
Preface xvii
Chapter 1 Security from the Ground Up 1
1.1 The Security Landscape 1
1.1.1 Making Security Decisions 3
1.1.2 The Security Process 5
1.1.3 Continuous Improvement: A Basic Principle 6
1.2 Process Example: Bob's Computer 7
1.3 Assets and Risk Assessment 11
1.3.1 What Are We Protecting? 14
1.3.2 Security Boundaries 15
1.3.3 Security Architecture 17
1.3.4 Risk Assessment Overview 19
1.4 Identifying Risks 20
1.4.1 Threat Agents 20
1.4.2 Security Properties, Services, and Attacks 22
1.5 Prioritizing Risks 23
1.5.1 Example: Risks to Alice's Laptop 24
1.5.2 Other Risk-Assessment Processes 29
1.6 Ethical Issues in Security Analysis 31
1.6.1 Searching for Vulnerabilities 32
1.6.2 Sharing or Publishing Vulnerabilities 33
1.7 Security Example: Aircraft Hijacking 35
1.7.1 Hijacking: A High-Level Analysis 36
1.7.2 September 11,2001 37
![Page 3: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/3.jpg)
Contents
1.8 Resources 39
1.8.1 Review Questions 41
1.8.2 Exercises 41
Chapter 2 Controlling a Computer 43
2.1 Computers and Programs 43
2.1.1 Input/Output 45
2.1.2 Program Execution 47
2.1.3 Procedures 48
2.2 Programs and Processes 49
2.2.1 Switching Between Processes 51
2.2.2 The Operating System 53
2.3 Buffer Overflow and the Morris Worm 54
2.3.1 The "Finger" Overflow 55
2.3.2 Security Alerts 59
2.4 Access Control Strategies 60
2.4.1 Puzzles and Patterns 61
2.4.2 Chain of Control: Another Basic Principle
2.5 Keeping Processes Separate 65
2.5.1 Sharing a Program 68
2.5.2 Sharing Data 70
2.6 Security Policy and Implementation 71
2.6.1 Analyzing Alice's Risks 73
2.6.2 Constructing Alice's Policy 75
2.6.3 Alice's Security Controls 77
2.7 Security Plan: Process Protection 80
2.8 Resources 85
2.8.1 Review Questions 86
2.8.2 Exercises 87
Chapter 3 Controlling Files 91
3.1 The File System 91
3.1.1 File Ownership and Access Rights 94
![Page 4: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/4.jpg)
Contents
3.1.2 Directory Access Rights 95
3.2 Executable Files 97
3.2.1 Execution Access Rights 98
3.2.2 Computer Viruses 100
3.2.3 Macro Viruses 103
3.2.4 Modern Malware: A Rogue's Gallery 104
3.3 Sharing and Protecting Files 106
3.3.1 Policies for Sharing and Protection 108
3.4 Security Controls for Files 111
3.4.1 Deny by Default: A Basic Principle 112
3.4.2 Managing Access Rights 114
3.4.3 Capabilities 115
3.5 File Security Controls 117
3.5.1 File Permission Flags 117
3.5.2 Security Controls to Enforce Bob's Policy 120
3.5.3 States and State Diagrams 121
3.6 Patching Security Flaws 123
3.7 Process Example: The Horse 127
3.7.1 Troy: A High-Level Analysis 128
3.7.2 Analyzing the Security Failure 129
3.8 Resources 130
3.8.1 Review Questions 130
3.8.2 Exercises 131
Chapter 4 Sharing Files 135
4.1 Controlled Sharing 135
4.1.1 Basic File Sharing on Windows 137
4.1.2 User Groups 139
4.1.3 Least Privilege and Administrative Users 140
4.2 File Permission Flags 143
4.2.1 Permission Flags and Ambiguities 146
4.2.2 Permission Flag Examples 147
![Page 5: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/5.jpg)
vi Contents
4.3 Access Control Lists 149
4.3.1 POSIXACLs 151
4.3.2 Macintosh OS-X ACLs 152
4.4 Microsoft Windows ACLs 156
4.4.1 Denying Access 157
4.4.2 Default File Protection 159
4.5 A Different Trojan Horse 163
4.6 Phase Five: Monitoring the System 165
4.6.1 Logging Events 167
4.6.2 External Security Requirements 170
4.7 Resources 173
4.7.1 Review Questions 173
4.7.2 Exercises 174
Chapter 5 Storing Files 177
5.1 Phase Six: Recovery 177
5.1.1 The Aftermath of an Incident 178
5.1.2 Legal Disputes 180
5.2 Digital Evidence 181
5.2.1 Collecting Legal Evidence 182
5.2.2 Digital Evidence Procedures 184
5.3 Storing Data on a Hard Drive 185
5.3.1 Hard Drive Controller 189
5.3.2 Hard Drive Formatting 190
5.3.3 Error Detection and Correction 192
5.3.4 Hard Drive Partitions 195
5.3.5 Memory Sizes and Address Variables 197
5.4 FAT: An Example File System 200
5.4.1 Boot Blocks 201
5.4.2 Building Files from Clusters 203
5.4.3 FAT Directories 206
![Page 6: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/6.jpg)
Contents vii
5.5 Modern File Systems 207
5.5.1 Unix File System 209
5.5.2 Apple's HFS Plus 211
5.5.3 Microsoft's NTFS 212
5.6 Input/Output and File System Software 214
5.6.1 Software Layering 217
5.6.2 A Typical I/O Operation 220
5.6.3 Security and I/O 221
5.7 Resources 223
5.7.1 Review Questions 224
5.7.2 Exercises 225
Chapter 6 Authenticating People 229
6.1 Unlocking a Door 229
6.1.1 Authentication Factors 231
6.1.2 Threats and Risks 233
6.2 Evolution of Password Systems 237
6.2.1 One-Way Hash Functions 240
6.2.2 Sniffing Credentials 243
6.3 Password Guessing 244
6.3.1 Password Search Space 247
6.3.2 Truly Random Password Selection 249
6.3.3 Cracking Speeds 251
6.4 Attacks on Password Bias 252
6.4.1 Biased Choices and Average Attack Space 254
6.4.2 Estimating Language-Based Password Bias 257
6.5 Authentication Tokens 258
6.5.1 Challenge-Response Authentication 260
6.5.2 One-Time Password Tokens 264
6.5.3 Token Vulnerabilities 266
6.6 Biometric Authentication 268
6.6.1 Biometric Accuracy 269
6.6.2 Biometric Vulnerabilities 271
![Page 7: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/7.jpg)
viii Contents
6.7 Authentication Policy 272
6.7.1 Weak and Strong Threats 272
6.7.2 Policies for Weak Threat Environments 274
6.7.3 Policies for Strong and Extreme Threats 276
6.7.4 Password Selection and Handling 279
6.8 Resources 281
6.8.1 Review Questions 281
6.8.2 Exercises 282
Chapter 7 Encrypting Files 285
7.1 Protecting the Accessible 285
7.1.1 Process Example: The Encrypted Diary 286
7.1.2 Encryption Basics 287
7.1.3 Encryption and Information States 291
7.2 Encryption and Cryptanalysis 293
7.2.1 The Vigenere Cipher 294
7.2.2 Electromechanical Encryption 296
7.3 Computer-Based Encryption 298
7.3.1 Exclusive Or: A Crypto Building Block 300
7.3.2 Stream Ciphers: Another Building Block 302
7.3.3 Key Stream Security 305
7.3.4 The One-Time Pad 306
7.4 File Encryption Software 309
7.4.1 Built-in File Encryption 309
7.4.2 Encryption Application Programs 311
7.4.3 Erasing a Plaintext File 313
7.4.4 Choosing a File Encryption Program 315
7.5 Digital Rights Management 317
7.6 Resources 320
7.6.1 Review Questions 321
7.6.2 Exercises 322
![Page 8: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/8.jpg)
Contents ix
Chapter 8 Secret and Public Keys 325
8.1 The Key Management Challenge 325
8.1.1 Rekeying 327
8.1.2 Using Text for Encryption Keys 329
8.1.3 Key Strength 332
8.2 The Reused Key Stream Problem 333
8.2.1 Avoiding Reused Keys 335
8.2.2 Key Wrapping: Another Building Block 338
8.2.3 Separation of Duty: A Basic Principle 341
8.2.4 DVD Key Handling 343
8.3 Public-Key Cryptography 345
8.3.1 Sharing a Secret: Diffie-Hellman 348
8.3.2 Diffie-Hellman: The Basics of the Math 350
8.3.3 Elliptic Curve Cryptography 352
8.4 RSA: Rivest-Shamir-Adleman 353
8.4.1 Encapsulating Keys with RSA 354
8.4.2 An Overview of RSA Mathematics 356
8.5 Data Integrity and Digital Signatures 360
8.5.1 Detecting Malicious Changes 361
8.5.2 Detecting a Changed Hash Value 364
8.5.3 Digital Signatures 365
8.6 Publishing Public Keys 368
8.6.1 Public-Key Certificates 370
8.6.2 Chains of Certificates 371
8.6.3 Authenticated Software Updates 376
8.7 Resources
8.7.1 Review Questions 379
8.7.2 Exercises 379
Chapter 9 Encrypting Volumes 383
9.1 Securing a Volume 383
9.1.1 Risks to Volumes 384
9.1.2 Risks and Policy Trade-Offs 386
![Page 9: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/9.jpg)
X Contents
9.2 Block Ciphers 389
9.2.1 Evolution of DES and AES 392
9.2.2 The RC4 Story 395
9.2.3 Qualities of Good Encryption Algorithms 397
9.3 Block Cipher Modes 400
9.3.1 Stream Cipher Modes 402
9.3.2 Cipher Feedback Mode 406
9.3.3 Cipher Block Chaining 408
9.4 Encrypting a Volume 409
9.4.1 Volume Encryption in Software 411
9.4.2 Adapting an Existing Mode 413
9.4.3 A "Tweakable" Encryption Mode 416
9.4.4 Residual Risks 418
9.5 Encryption in Hardware 420
9.5.1 The Drive Controller 421
9.5.2 Drive Locking and Unlocking 422
9.6 Managing Encryption Keys 423
9.6.1 Key Storage 425
9.6.2 Booting an Encrypted Drive 427
9.6.3 Residual Risks to Keys 429
9.7 Resources 432
9.7.1 Review Questions 432
9.7.2 Exercises 433
Chapter 10 Connecting Computers 435
10.1 The Network Security Problem 435
10.1.1 Basic Network Attacks and Defenses 436
10.1.2 Physical Network Protection 438
10.1.3 Host and Network Integrity 439
10.2 Transmitting Information 442
10.2.1 Message Switching 444
10.2.2 Circuit Switching 446
10.2.3 Packet Switching 447
![Page 10: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/10.jpg)
Contents
10.3 Putting Bits on a Wire 450
10.3.1 Wireless Transmission 451
10.3.2 Transmitting Packets 454
10.3.3 Recovering a Lost Packet 456
10.4 Ethernet: A Modern LAN 458
10.4.1 Wiring a Small Network 460
10.4.2 Ethernet Frame Format 461
10.4.3 Finding Host Addresses 463
10.4.4 Handling Collisions 465
10.5 The Protocol Stack 467
10.5.1 Relationships Between Layers 468
10.5.2 The OSI Protocol Model 470
10.6 Network Applications 472
10.6.1 Resource Sharing 474
10.6.2 Data and File Sharing 475
10.7 Resources 478
10.7.1 Review Questions 479
10.7.2 Exercises 479
Chapter 11 Networks of Networks 481
11.1 Building Information Networks 481
11.1.1 Point-to-Point Network 483
11.1.2 Star Network 484
11.1.3 Bus Network 486
11.1.4 Tree Network 487
11.1.5 Mesh 490
11.2 Combining Computer Networks 491
11.2.1 Hopping Between Networks 493
11.2.2 Evolution of Internet Security 495
11.2.3 Internet Structure 498
11.3 Talking Between Hosts 501
11.3.1 IP Addresses 503
11.3.2 IP Packet Format 504
11.3.3 Address Resolution Protocol 506
![Page 11: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/11.jpg)
xii Contents
11.4 Internet Addresses in Practice 507
11.4.1 Addresses, Scope, and Reachability 509
11.4.2 Private IP Addresses 510
11.5 Network Inspection Tools 512
U.5.1 Wireshark Examples 514
11.5.2 Mapping a LAN with Nmap 516
11.6 Resources 520
U.6.1 Review Questions 520
11.6.2 Exercises 521
Chapter 12 End-to-End Networking 525
12.1 "Smart" Versus "Dumb" Networks 525
12.2 Internet Transport Protocols 526
12.2.1 Transmission Control Protocol 528
12.2.2 Attacks on Protocols 532
12.3 Names on the Internet 535
12.3.1 Domain Names in Practice 537
12.3.2 Looking Up Names 539
12.3.3 DNS Protocol 540
1.2.3.4 Investigating Domain Names 543
12.3.5 Attacking DNS 545
12.4 Internet Gateways and Firewalls 547
12.4.1 Network Address Translation 549
12.4.2 Filtering and Connectivity 553
12.4.3 Software-Based Firewalls 554
12.5 Long-Distance Networking 555
12.5.1 Older Technologies 557
12.5.2 Mature Technologies 559
12.5.3 Evolving Technologies 561
12.6 Resources 561
12.6.1 Review Questions 562
12.6.2 Exercises 563
![Page 12: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/12.jpg)
Contents xiii
Chapter 13 Enterprise Computing 567
13.1 The Challenge of Community 567
13.1.1 Companies and Information Control 568
13.1.2 Enterprise Risks 571
13.1.3 Social Engineering 573
13.2 Management Process 575
13.2.1 Security Management Standards 576
13.2.2 Deployment Policy Directives 578
13.2.3 Management Hierarchies and Delegation 579
13.2.4 Managing Information Resources 581
13.2.5 Security Audits 583
13.2.6 Information Security Professionals 584
13.3 Enterprise Issues 587
13.3.1 Personnel Security 588
13.3.2 Physical Security 592
13.3.3 Software Security 594
13.4 Enterprise Network Authentication 598
13.4.1 Direct Authentication 600
13.4.2 Indirect Authentication 602
13.4.3 Off-Line Authentication 606
13.5 Contingency Planning 608
13.5.1 Data Backup and Restoration 608
13.5.2 Handling Serious Incidents 612
13.5.3 Disaster Preparation and Recovery 613
13.6 Resources 616
13.6.1 Review Questions 617
13.6.2 Exercises 618
Chapter 14 Network Encryption 619
14.1 Communications Security 619
14.1.1 Crypto by Layers 621
14.1.2 Administrative and Policy Issues 627
![Page 13: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/13.jpg)
xiv Contents
14.2 Crypto Keys on a Network 629
14.2.1 Manual Keying: A Building Block 632
14.2.2 Simple Rekeying 633
14.2.3 Secret-Key Building Blocks 635
14.2.4 Public-Key Building Blocks 638
14.2.5 Public-Key Versus Secret-Key Exchanges 641
14.3 Crypto Atop the Protocol Stack 642
14.3.1 Transport Layer Security—SSL and TLS 645
14.3.2 SSL Handshake Protocol 647
14.3.3 SSL Record Transmission 648
14.4 Network Layer Cryptography 651
14.4.1 The Encapsulating Security Payload 654
14.4.2 Implementing a VPN 656
14.4.3 Internet Key Exchange Protocol 657
14.5 Link Encryption on 802.11 Wireless 659
14.5.1 Wireless Packet Protection 661
14.5.2 Security Associations 663
14.6 Encryption Policy Summary 665
14.7 Resources 668
14.7.1 Review Questions 669
14.7.2 Exercises 669
Chapter 15 Internet Services and Email 673
15.1 Internet Services 673
15.2 Internet Email 674
15.2.1 Email Protocol Standards 679
15.2.2 Tracking an Email 681
15.2.3 Forging an Email Message 684
15.3 Email Security Problems 687
15.3.1 Spam 688
15.3.2 Phishing 691
15.3.3 Email Viruses and Hoaxes 693
![Page 14: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/14.jpg)
Contentsxv
15.4 Enterprise Firewalls 695
15.4.1 Controlling Internet Traffic 697
15.4.2 Traffic-Filtering Mechanisms 698
15.4.3 Implementing Firewall Rules 701
15.5 Enterprise Point of Presence 705
15.5.1 POP Topology 706
15.5.2 Attacking an Enterprise Site 709
15.5.3 The Challenge of Real-Time Media 711
15.6 Resources 712
15.6.1 Review Questions 713
15.6.2 Exercises 713
Chapter 16 The World Wide Web 715
16.1 Hypertext Fundamentals 715
16.1.1 Addressing Web Pages 719
16.1.2 Retrieving a Static Web Page 722
16.2 Basic Web Security 724
16.2.1 Static Website Security 728
16.2.2 Server Authentication 730
16.2.3 Server Masquerades 735
16.3 Dynamic Websites 738
16.3.1 Scripts on the Web 739
16.3.2 States and HTTP 743
16.4 Content Management Systems 746
16.4.1 Database Management Systems 747
16.4.2 Password Checking: A CMS Example 750
16.4.3 Command Injection Attacks 752
16.5 Ensuring Web Security Properties 756
16.5.1 Web Availability 757
16.5.2 Web Privacy 758
16.6 Resources 760
16.6.1 Review Questions 761
16.6.2 Exercises 762
![Page 15: Elementary information security](https://reader034.vdocument.in/reader034/viewer/2022051600/62801455567e01621736a098/html5/thumbnails/15.jpg)
xvi Contents
Chapter 17 Governments and Secrecy 765
17.1 Secrecy in Government 765
17.1.1 The Challenge of Secrecy 767
17.1.2 Information Security and Operations 770
17.2 Classifications and Clearances 773
17.2.1 Security Labeling 775
17.2.2 Security Clearances 777
17.2.3 Classification Levels in Practice 779
17.2.4 Compartments and Other Special Controls 780
17.3 National Policy Issues 786
17.3.1 Facets of National System Security 788
17.3.2 Security Planning 790
17.3.3 Certification and Accreditation 792
17.4 Communications Security 793
17.4.1 Cryptographic Technology 795
17.4.2 Crypto Security Procedures 797
17.4.3 Transmission Security 800
17.5 Data Protection 803
17.5.1 Protected Wiring 804
17.5.2 TEMPEST 805
17.6 Trustworthy Systems 808
17.6.1 Integrity of Operations 810
17.6.2 Multilevel Security 814
17.6.3 Computer Modes of Operation 816
17.7 Resources 818
17.7.1 Review Questions 820
17.7.2 Exercises 820
Appendix A Acronyms 823
Appendix B Alternative Security Terms and Concepts 833
Index 841
Credits 889