Introduction to Computer Security 1st Edition by Matt Bishop ISBN 0321247442 9788177584257

Introduction to Computer Security 1st Edition by Matt Bishop – Ebook PDF Instant Download/Delivery. 0321247442, 9788177584257
Full download Introduction to Computer Security 1st Edition after payment

Product details:

ISBN 10: 0321247442 
ISBN 13: 9788177584257
Author: Matt Bishop

In this authoritative book, widely respected practitioner and teacher Matt Bishop presents a clear and useful introduction to the art and science of information security. Bishop’s insights and realistic examples will help any practitioner or student understand the crucial links between security theory and the day-to-day security challenges of IT environments.

Bishop explains the fundamentals of security: the different types of widely used policies, the mechanisms that implement these policies, the principles underlying both policies and mechanisms, and how attackers can subvert these tools–as well as how to defend against attackers. A practicum demonstrates how to apply these ideas and mechanisms to a realistic company.

 Introduction to Computer Security 1st Table of contents:

1. An Overview of Computer Security
1.1. The Basic Components
1.1.1. Confidentiality
1.1.2. Integrity
1.1.3. Availability
1.2. Threats
1.3. Policy and Mechanism
1.3.1. Goals of Security
1.4. Assumptions and Trust
1.5. Assurance
1.5.1. Specification
1.5.2. Design
1.5.3. Implementation
1.6. Operational Issues
1.6.1. Cost-Benefit Analysis
1.6.2. Risk Analysis
1.6.3. Laws and Customs
1.7. Human Issues
1.7.1. Organizational Problems
1.7.2. People Problems
1.8. Tying It All Together
1.9. Summary
1.10. Further Reading
1.11. Exercises
2. Access Control Matrix
2.1. Protection State
2.2. Access Control Matrix Model
2.3. Protection State Transitions
2.3.1. Conditional Commands
2.4. Summary
2.5. Further Reading
2.6. Exercises
3. Foundational Results
3.1. The General Question
3.2. Basic Results
3.3. Summary
3.4. Further Reading
3.5. Exercises
4. Security Policies
4.1. Security Policies
4.2. Types of Security Policies
4.3. The Role of Trust
4.4. Types of Access Control
4.5. Example: Academic Computer Security Policy
4.5.1. General University Policy
4.5.2. Electronic Mail Policy
4.5.2.1. The Electronic Mail Policy Summary
4.5.2.2. The Full Policy
4.5.2.3. Implementation at UC Davis
4.6. Summary
4.7. Further Reading
4.8. Exercises
5. Confidentiality Policies
5.1. Goals of Confidentiality Policies
5.2. The Bell-LaPadula Model
5.2.1. Informal Description
5.2.2. Example: The Data General B2 UNIX System
5.2.2.1. Assigning MAC Labels
5.2.2.2. Using MAC Labels
5.3. Summary
5.4. Further Reading
5.5. Exercises
6. Integrity Policies
6.1. Goals
6.2. Biba Integrity Model
6.3. Clark-Wilson Integrity Model
6.3.1. The Model
6.3.2. Comparison with the Requirements
6.3.3. Comparison with Other Models
6.4. Summary
6.5. Further Reading
6.6. Exercises
7. Hybrid Policies
7.1. Chinese Wall Model
7.1.1. Bell-LaPadula and Chinese Wall Models
7.1.2. Clark-Wilson and Chinese Wall Models
7.2. Clinical Information Systems Security Policy
7.2.1. Bell-LaPadula and Clark-Wilson Models
7.3. Originator Controlled Access Control
7.4. Role-Based Access Control
7.5. Summary
7.6. Further Reading
7.7. Exercises
8. Basic Cryptography
8.1. What Is Cryptography?
8.2. Classical Cryptosystems
8.2.1. Transposition Ciphers
8.2.2. Substitution Ciphers
8.2.2.1. Vigenère Cipher
8.2.2.2. One-Time Pad
8.2.3. Data Encryption Standard
8.2.4. Other Classical Ciphers
8.3. Public Key Cryptography
8.3.1. RSA
8.4. Cryptographic Checksums
8.4.1. HMAC
8.5. Summary
8.6. Further Reading
8.7. Exercises
9. Key Management
9.1. Session and Interchange Keys
9.2. Key Exchange
9.2.1. Classical Cryptographic Key Exchange and Authentication
9.2.2. Kerberos
9.2.3. Public Key Cryptographic Key Exchange and Authentication
9.3. Cryptographic Key Infrastructures
9.3.1. Certificate Signature Chains
9.3.1.1. X.509: Certification Signature Chains
9.3.1.2. PGP Certificate Signature Chains
9.3.2. Summary
9.4. Storing and Revoking Keys
9.4.1. Key Storage
9.4.2. Key Revocation
9.5. Digital Signatures
9.5.1. Classical Signatures
9.5.2. Public Key Signatures
9.6. Summary
9.7. Further Reading
9.8. Exercises
10. Cipher Techniques
10.1. Problems
10.1.1. Precomputing the Possible Messages
10.1.2. Misordered Blocks
10.1.3. Statistical Regularities
10.1.4. Summary
10.2. Stream and Block Ciphers
10.2.1. Stream Ciphers
10.2.1.1. Synchronous Stream Ciphers
10.2.1.2. Self-Synchronous Stream Ciphers
10.2.2. Block Ciphers
10.2.2.1. Multiple Encryption
10.3. Networks and Cryptography
10.4. Example Protocols
10.4.1. Secure Electronic Mail: PEM
10.4.1.1. Design Principles
10.4.1.2. Basic Design
10.4.1.3. Other Considerations
10.4.1.4. Conclusion
10.4.2. Security at the Network Layer: IPsec
10.4.2.1. IPsec Architecture
10.4.2.2. Authentication Header Protocol
10.4.2.3. Encapsulating Security Payload Protocol
10.4.3. Conclusion
10.5. Summary
10.6. Further Reading
10.7. Exercises
11. Authentication
11.1. Authentication Basics
11.2. Passwords
11.2.1. Attacking a Password System
11.2.2. Countering Password Guessing
11.2.2.1. Random Selection of Passwords
11.2.2.2. Pronounceable and Other Computer-Generated Passwords
11.2.2.3. User Selection of Passwords
11.2.2.4. Reusable Passwords and Dictionary Attacks
11.2.2.5. Guessing Through Authentication Functions
11.2.3. Password Aging
11.3. Challenge-Response
11.3.1. Pass Algorithms
11.3.2. One-Time Passwords
11.3.3. Hardware-Supported Challenge-Response Procedures
11.3.4. Challenge-Response and Dictionary Attacks
11.4. Biometrics
11.4.1. Fingerprints
11.4.2. Voices
11.4.3. Eyes
11.4.4. Faces
11.4.5. Keystrokes
11.4.6. Combinations
11.4.7. Caution
11.5. Location
11.6. Multiple Methods
11.7. Summary
11.8. Further Reading
11.9. Exercises
12. Design Principles
12.1. Overview
12.2. Design Principles
12.2.1. Principle of Least Privilege
12.2.2. Principle of Fail-Safe Defaults
12.2.3. Principle of Economy of Mechanism
12.2.4. Principle of Complete Mediation
12.2.5. Principle of Open Design
12.2.6. Principle of Separation of Privilege
12.2.7. Principle of Least Common Mechanism
12.2.8. Principle of Psychological Acceptability
12.3. Summary
12.4. Further Reading
12.5. Exercises
13. Representing Identity
13.1. What Is Identity?
13.2. Files and Objects
13.3. Users
13.4. Groups and Roles
13.5. Naming and Certificates
13.5.1. The Meaning of the Identity
13.5.2. Trust
13.6. Identity on the Web
13.6.1. Host Identity
13.6.1.1. Static and Dynamic Identifiers
13.6.1.2. Security Issues with the Domain Name Service
13.6.2. State and Cookies
13.6.3. Anonymity on the Web
13.6.3.1. Anonymity for Better or Worse
13.7. Summary
13.8. Further Reading
13.9. Exercises
14. Access Control Mechanisms
14.1. Access Control Lists
14.1.1. Abbreviations of Access Control Lists
14.1.2. Creation and Maintenance of Access Control Lists
14.1.2.1. Which Subjects Can Modify an Object’s ACL?
14.1.2.2. Do the ACLs Apply to a Privileged User?
14.1.2.3. Does the ACL Support Groups and Wildcards?
14.1.2.4. Conflicts
14.1.2.5. ACLs and Default Permissions
14.1.3. Revocation of Rights
14.1.4. Example: Windows NT Access Control Lists
14.2. Capabilities
14.2.1. Implementation of Capabilities
14.2.2. Copying and Amplifying Capabilities
14.2.3. Revocation of Rights
14.2.4. Limits of Capabilities
14.2.5. Comparison with Access Control Lists
14.3. Locks and Keys
14.3.1. Type Checking
14.4. Ring-Based Access Control
14.5. Propagated Access Control Lists
14.6. Summary
14.7. Further Reading
14.8. Exercises
15. Information Flow
15.1. Basics and Background
15.1.1. Information Flow Models and Mechanisms
15.2. Compiler-Based Mechanisms
15.2.1. Declarations
15.2.2. Program Statements
15.2.2.1. Assignment Statements
15.2.2.2. Compound Statements
15.2.2.3. Conditional Statements
15.2.2.4. Iterative Statements
15.2.2.5. Goto Statements
15.2.2.6. Procedure Calls
15.2.3. Exceptions and Infinite Loops
15.2.4. Concurrency
15.2.5. Soundness
15.3. Execution-Based Mechanisms
15.3.1. Fenton’s Data Mark Machine
15.3.2. Variable Classes
15.4. Example Information Flow Controls
15.4.1. Security Pipeline Interface
15.4.2. Secure Network Server Mail Guard
15.5. Summary
15.6. Further Reading
15.7. Exercises
16. Confinement Problem
16.1. The Confinement Problem
16.2. Isolation
16.2.1. Virtual Machines
16.2.2. Sandboxes
16.3. Covert Channels
16.3.1. Detection of Covert Channels
16.3.2. Mitigation of Covert Channels
16.4. Summary
16.5. Further Reading
16.6. Exercises
17. Introduction to Assurance
17.1. Assurance and Trust
17.1.1. The Need for Assurance
17.1.2. The Role of Requirements in Assurance
17.1.3. Assurance Throughout the Life Cycle
17.2. Building Secure and Trusted Systems
17.2.1. Life Cycle
17.2.1.1. Conception
17.2.1.2. Manufacture
17.2.1.3. Deployment
17.2.1.4. Fielded Product Life
17.2.2. The Waterfall Life Cycle Model
17.2.2.1. Requirements Definition and Analysis
17.2.2.2. System and Software Design
17.2.2.3. Implementation and Unit Testing
17.2.2.4. Integration and System Testing
17.2.2.5. Operation and Maintenance
17.2.2.6. Discussion
17.2.3. Other Models of Software Development
17.2.3.1. Exploratory Programming
17.2.3.2. Prototyping
17.2.3.3. Formal Transformation
17.2.3.4. System Assembly from Reusable Components
17.2.3.5. Extreme Programming
17.3. Building Security In or Adding Security Later
17.4. Summary
17.5. Further Reading
17.6. Exercises
18. Evaluating Systems
18.1. Goals of Formal Evaluation
18.1.1. Deciding to Evaluate
18.1.2. Historical Perspective of Evaluation Methodologies
18.2. TCSEC: 1983–1999
18.2.1. TCSEC Requirements
18.2.1.1. TCSEC Functional Requirements
18.2.1.2. TCSEC Assurance Requirements
18.2.2. The TCSEC Evaluation Classes
18.2.3. The TCSEC Evaluation Process
18.2.4. Impacts
18.2.4.1. Scope Limitations
18.2.4.2. Process Limitations
18.2.4.3. Contributions
18.3. FIPS 140: 1994–Present
18.3.1. FIPS 140 Requirements
18.3.2. FIPS 140-2 Security Levels
18.3.3. Impact
18.4. The Common Criteria: 1998–Present
18.4.1. Overview of the Methodology
18.4.2. CC Requirements
18.4.3. CC Security Functional Requirements
18.4.4. Assurance Requirements
18.4.5. Evaluation Assurance Levels
18.4.6. Evaluation Process
18.4.7. Impacts
18.4.8. Future of the Common Criteria
18.4.8.1. Interpretations
18.4.8.2. Assurance Class AMA and Family ALC_FLR
18.4.8.3. Products Versus Systems
18.4.8.4. Protection Profiles and Security Targets
18.4.8.5. Assurance Class AVA
18.4.8.6. EAL5
18.5. SSE-CMM: 1997–Present
18.5.1. The SSE-CMM Model
18.5.2. Using the SSE-CMM
18.6. Summary
18.7. Further Reading
18.8. Exercises
19. Malicious Logic
19.1. Introduction
19.2. Trojan Horses
19.3. Computer Viruses
19.3.1. Boot Sector Infectors
19.3.2. Executable Infectors
19.3.3. Multipartite Viruses
19.3.4. TSR Viruses
19.3.5. Stealth Viruses
19.3.6. Encrypted Viruses
19.3.7. Polymorphic Viruses
19.3.8. Macro Viruses
19.4. Computer Worms
19.5. Other Forms of Malicious Logic
19.5.1. Rabbits and Bacteria
19.5.2. Logic Bombs
19.6. Defenses
19.6.1. Malicious Logic Acting as Both Data and Instructions
19.6.2. Malicious Logic Assuming the Identity of a User
19.6.2.1. Information Flow Metrics
19.6.2.2. Reducing the Rights
19.6.2.3. Sandboxing
19.6.3. Malicious Logic Crossing Protection Domain Boundaries by Sharing
19.6.4. Malicious Logic Altering Files
19.6.5. Malicious Logic Performing Actions Beyond Specification
19.6.5.1. Proof-Carrying Code
19.6.6. Malicious Logic Altering Statistical Characteristics
19.6.7. The Notion of Trust
19.7. Summary
19.8. Further Reading
19.9. Exercises
20. Vulnerability Analysis
20.1. Introduction
20.2. Penetration Studies
20.2.1. Goals
20.2.2. Layering of Tests
20.2.3. Methodology at Each Layer
20.2.4. Flaw Hypothesis Methodology
20.2.4.1. Information Gathering and Flaw Hypothesis
20.2.4.2. Flaw Testing
20.2.4.3. Flaw Generalization
20.2.4.4. Flaw Elimination
20.2.5. Example: Penetration of the Michigan Terminal System
20.2.6. Example: Compromise of a Burroughs System
20.2.7. Example: Penetration of a Corporate Computer System
20.2.8. Example: Penetrating a UNIX System
20.2.9. Example: Penetrating a Windows NT System
20.2.10. Debate
20.2.11. Conclusion
20.3. Vulnerability Classification
20.3.1. Two Security Flaws
20.4. Frameworks
20.4.1. The RISOS Study
20.4.1.1. The Flaw Classes
20.4.1.2. Legacy
20.4.2. Protection Analysis Model
20.4.2.1. The Flaw Classes
20.4.2.2. Legacy
20.4.3. The NRL Taxonomy
20.4.3.1. The Flaw Classes
20.4.3.2. Legacy
20.4.4. Aslam’s Model
20.4.4.1. The Flaw Classes
20.4.4.2. Legacy
20.4.5. Comparison and Analysis
20.4.5.1. The xterm Log File Flaw
20.4.5.2. The fingerd Buffer Overflow Flaw
20.4.5.3. Summary
20.5. Summary
20.6. Further Reading
20.7. Exercises
21. Auditing
21.1. Definitions
21.2. Anatomy of an Auditing System
21.2.1. Logger
21.2.2. Analyzer
21.2.3. Notifier
21.3. Designing an Auditing System
21.3.1. Implementation Considerations
21.3.2. Syntactic Issues
21.3.3. Log Sanitization
21.3.4. Application and System Logging
21.4. A Posteriori Design
21.4.1. Auditing to Detect Violations of a Known Policy
21.4.1.1. State-Based Auditing
21.4.1.2. Transition-Based Auditing
21.4.2. Auditing to Detect Known Violations of a Policy
21.5. Auditing Mechanisms
21.5.1. Secure Systems
21.5.2. Nonsecure Systems
21.6. Examples: Auditing File Systems
21.6.1. Audit Analysis of the NFS Version 2 Protocol
21.6.2. The Logging and Auditing File System (LAFS)
21.6.3. Comparison
21.7. Audit Browsing
21.8. Summary
21.9. Further Reading
21.10. Exercises
22. Intrusion Detection
22.1. Principles
22.2. Basic Intrusion Detection
22.3. Models
22.3.1. Anomaly Modeling
22.3.2. Misuse Modeling
22.3.3. Specification Modeling
22.3.4. Summary
22.4. Architecture
22.4.1. Agent
22.4.1.1. Host-Based Information Gathering
22.4.1.2. Network-Based Information Gathering
22.4.1.3. Combining Sources
22.4.2. Director
22.4.3. Notifier
22.5. Organization of Intrusion Detection Systems
22.5.1. Monitoring Network Traffic for Intrusions: NSM
22.5.2. Combining Host and Network Monitoring: DIDS
22.5.3. Autonomous Agents: AAFID
22.6. Intrusion Response
22.6.1. Incident Prevention
22.6.2. Intrusion Handling
22.6.2.1. Containment Phase
22.6.2.2. Eradication Phase
22.6.2.3. Follow-Up Phase
22.7. Summary
22.8. Further Reading
22.9. Exercises
23. Network Security
23.1. Introduction
23.2. Policy Development
23.2.1. Data Classes
23.2.2. User Classes
23.2.3. Availability
23.2.4. Consistency Check
23.3. Network Organization
23.3.1. Firewalls and Proxies
23.3.2. Analysis of the Network Infrastructure
23.3.2.1. Outer Firewall Configuration
23.3.2.2. Inner Firewall Configuration
23.3.3. In the DMZ
23.3.3.1. DMZ Mail Server
23.3.3.2. DMZ WWW Server
23.3.3.3. DMZ DNS Server
23.3.3.4. DMZ Log Server
23.3.3.5. Summary
23.3.4. In the Internal Network
23.3.5. General Comment on Assurance
23.4. Availability and Network Flooding
23.4.1. Intermediate Hosts
23.4.2. TCP State and Memory Allocations
23.5. Anticipating Attacks
23.6. Summary
23.7. Further Reading
23.8. Exercises
24. System Security
24.1. Introduction
24.2. Policy
24.2.1. The Web Server System in the DMZ
24.2.2. The Development System
24.2.3. Comparison
24.2.4. Conclusion
24.3. Networks
24.3.1. The Web Server System in the DMZ
24.3.2. The Development System
24.3.3. Comparison
24.4. Users
24.4.1. The Web Server System in the DMZ
24.4.2. The Development System
24.4.3. Comparison
24.5. Authentication
24.5.1. The Web Server System in the DMZ
24.5.2. Development Network System
24.5.3. Comparison
24.6. Processes
24.6.1. The Web Server System in the DMZ
24.6.2. The Development System
24.6.3. Comparison
24.7. Files
24.7.1. The Web Server System in the DMZ
24.7.2. The Development System
24.7.3. Comparison
24.8. Retrospective
24.8.1. The Web Server System in the DMZ
24.8.2. The Development System
24.9. Summary
24.10. Further Reading
24.11. Exercises
25. User Security
25.1. Policy
25.2. Access
25.2.1. Passwords
25.2.2. The Login Procedure
25.2.2.1. Trusted Hosts
25.2.3. Leaving the System
25.3. Files and Devices
25.3.1. Files
25.3.1.1. File Permissions on Creation
25.3.1.2. Group Access
25.3.1.3. File Deletion
25.3.2. Devices
25.3.2.1. Writable Devices
25.3.2.2. Smart Terminals
25.3.2.3. Monitors and Window Systems
25.4. Processes
25.4.1. Copying and Moving Files
25.4.2. Accidentally Overwriting Files
25.4.3. Encryption, Cryptographic Keys, and Passwords
25.4.4. Start-up Settings
25.4.5. Limiting Privileges
25.4.6. Malicious Logic
25.5. Electronic Communications
25.5.1. Automated Electronic Mail Processing
25.5.2. Failure to Check Certificates
25.5.3. Sending Unexpected Content
25.6. Summary
25.7. Further Reading
25.8. Exercises
26. Program Security
26.1. Introduction
26.2. Requirements and Policy
26.2.1. Requirements
26.2.2. Threats
26.2.2.1. Group 1: Unauthorized Users Accessing Role Accounts
26.2.2.2. Group 2: Authorized Users Accessing Role Accounts
26.2.2.3. Summary
26.3. Design
26.3.1. Framework
26.3.1.1. User Interface
26.3.1.2. High-Level Design
26.3.2. Access to Roles and Commands
26.3.2.1. Interface
26.3.2.2. Internals
26.3.2.3. Storage of the Access Control Data
26.4. Refinement and Implementation
26.4.1. First-Level Refinement
26.4.2. Second-Level Refinement
26.4.3. Functions
26.4.3.1. Obtaining Location
26.4.3.2. The Access Control Record
26.4.3.3. Error Handling in the Reading and Matching Routines
26.4.4. Summary
26.5. Common Security-Related Programming Problems
26.5.1. Improper Choice of Initial Protection Domain
26.5.1.1. Process Privileges
26.5.1.2. Access Control File Permissions
26.5.1.3. Memory Protection
26.5.1.4. Trust in the System
26.5.2. Improper Isolation of Implementation Detail
26.5.2.1. Resource Exhaustion and User Identifiers
26.5.2.2. Validating the Access Control Entries
26.5.2.3. Restricting the Protection Domain of the Role Process
26.5.3. Improper Change
26.5.3.1. Memory
26.5.3.2. Changes in File Contents
26.5.3.3. Race Conditions in File Accesses
26.5.4. Improper Naming
26.5.5. Improper Deallocation or Deletion
26.5.6. Improper Validation
26.5.6.1. Bounds Checking
26.5.6.2. Type Checking
26.5.6.3. Error Checking
26.5.6.4. Checking for Valid, not Invalid, Data
26.5.6.5. Checking Input
26.5.6.6. Designing for Validation
26.5.7. Improper Indivisibility
26.5.8. Improper Sequencing
26.5.9. Improper Choice of Operand or Operation
26.5.10. Summary
26.6. Testing, Maintenance, and Operation
26.6.1. Testing
26.6.1.1. Testing the Module
26.6.2. Testing Composed Modules
26.6.3. Testing the Program
26.7. Distribution
26.8. Conclusion
26.9. Summary
26.10. Further Reading
26.11. Exercises
27. Lattices
27.1. Basics
27.2. Lattices
27.3. Exercises
28. The Extended Euclidean Algorithm
28.1. The Euclidean Algorithm
28.2. The Extended Euclidean Algorithm
28.3. Solving ax mod n = 1
28.4. Solving ax mod n = b
28.5. Exercises
29. Virtual Machines
29.1. Virtual Machine Structure
29.2. Virtual Machine Monitor
29.2.1. Privilege and Virtual Machines
29.2.2. Physical Resources and Virtual Machines
29.2.3. Paging and Virtual Machines
29.3. Exercises

People also search for Introduction to Computer Security 1st:

ntroduction to computer security
    
an introduction to computer security the nist handbook
    
borrow introduction to computer security
    
introduction to computer security goodrich pdf
    
introduction to computer security pdf