EMBED for wordpress. Want more? Advanced embedding details, examples, and help! Thoroughly updated to reflect the latest Internet-based threats, it shows how to control failures of confidentiality, integrity, and availability in applications, databases, operating systems, and networks alike.
It offers exceptionally clear and accessible coverage of cryptography and other technical issues; security administration; law, privacy, and ethics. New coverage includes wireless security, intrusion detection, quantum cryptography, biometrics, DRM, AES, honeypots, online privacy, and much more Includes bibliographical references pages and index Is there a security problem in computing?
There are no reviews yet. Dissemination or sale of any part of this work including on the World Wide Web will destroy the integrity of the work and is not permitted. This website uses cookies to improve your experience while you navigate through the website.
Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies.
But opting out of some of these cookies may have an effect on your browsing experience. Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. Skip to content. This website uses cookies to improve your experience.
We'll assume you're ok with this, but you can opt-out if you wish. Privacy Overview This website uses cookies to improve your experience while you navigate through the website. Privacy Overview. Necessary Always Enabled.
With unlimited time, money, and capability, we might try to protect against all kinds of harm. But because our resources are lim- ited, we must prioritize our protection, safeguarding only against serious threats and the ones we can control. Choosing the threats we try to mitigate involves a process called risk management, Risk management involves choosing and it includes weighing the seri- which threats to control and what ousness of a threat against our abil- resources to devote to protection.
Risk and Common Sense The number and kinds of threats are practically unlimited because devising an attack requires an active imagination, determination, persistence, and time as well as access and resources.
The nature and number of threats in the computer world reflect life in general: The causes of harm are limitless and largely unpredictable. Natural disasters like volcanoes and earthquakes happen with little or no warning, as do auto accidents, heart attacks, influenza, and random acts of violence.
To protect against accidents or the flu, you might decide to stay indoors, never venturing outside. But by doing so, you trade one set of risks for another; while you are inside, you are vulnerable to building collapse. There are too many possible causes of harm for us to protect ourselves—or our computers—completely against all of them. In real life we make decisions every day about the best way to provide our security. For example, although we may choose to live in an area that is not prone to earthquakes, we cannot entirely eliminate earthquake risk.
Some choices are conscious, such as deciding not to walk down a dark alley in an unsafe neighborhood; other times our sub- conscious guides us, from experience or expertise, to take some precaution.
Computer security is similar. Or we consider alternative courses of action, such as transferring risk by purchasing insurance or even doing nothing if the side effects of the countermeasure could be worse than the possible harm.
The risk that remains uncovered by controls is called residual risk. This approach to risk management is a logical and sensible approach to protec- tion, but it has significant drawbacks. In reality, it is difficult to assess the value of each asset; as we have seen, value can change depending on context, timing, and a host of other characteristics. Even harder is determining the impact of all possible threats.
The range of possible threats is effectively limitless, and it is difficult if not impossible in some situations to know the short- and long-term impacts of an action. For instance, Sidebar describes a study of the impact of security breaches over time on corporate finances, showing that a threat must be evaluated over time, not just at a single instance. SIDEBAR Short- and Long-term Risks of Security Breaches It was long assumed that security breaches would be bad for business: that customers, fearful of losing their data, would veer away from insecure businesses and toward more secure ones.
But empirical studies suggest that the picture is more complicated. Early studies of the effects of secu- rity breaches, such as that of Campbell [CAM03], examined the effects of breaches on stock price.
Cavusoglu et al. Myung Ko and Carlos Dorantes [KO06] looked at the longer-term financial effects of publicly announced breaches. Based on the Campbell et al. These are also considered tangible costs. Most of these costs are intangible costs that are difficult to calculate but extremely important in assessing the overall security breach costs to the organization.
Their findings were striking. Contrary to what you might suppose, the breached firms had no decrease in performance for the quarters following the breach, but their return on assets decreased in the third quarter. The comparison of treatment with control companies revealed that the control firms generally outperformed the breached firms. However, the breached firms outperformed the control firms in the fourth quarter. These results are consonant with the results of other researchers who conclude that there is minimal long-term economic impact from a secu- rity breach.
There are many reasons why this is so. For example, custom- ers may think that all competing firms have the same vulnerabilities and threats, so changing to another vendor does not reduce the risk. Another possible explanation may be a perception that a breached company has better security since the breach forces the company to strengthen controls and thus reduce the likelihood of similar breaches.
All these studies have limitations, including small sample sizes and lack of sufficient data. But they clearly demonstrate the difficulties of quan- tifying and verifying the impacts of security risks, and point out a difference between short- and long-term effects. Although we should not apply protection haphazardly, we will necessarily protect against threats we consider most likely or most damaging.
For this reason, it is essential to understand how we perceive threats and evaluate their likely occurrence and impact. Sidebar summarizes some of the relevant research in risk perception and decision- making. Such research suggests that, for relatively rare instances such as high-impact security problems, we must take into account the ways in which people focus more on the impact than on the actual likelihood of occurrence. SIDEBAR Perception of the Risk of Extreme Events When a type of adverse event happens frequently, we can calculate its likelihood and impact by examining both frequency and nature of the col- lective set of events.
But security problems are often extreme events: They happen infrequently and under a wide variety of circumstances, so it is difficult to look at them as a group and draw general conclusions. He points out that evaluating risk in such cases can be a political endeavor as much as a scientific one.
He notes that we tend to let values, process, power, and trust influence our risk analysis [SLO99]. Beginning with Fischoff et al. These feelings about risk, called affects by psychologists, enable researchers to discuss relative risks by placing them on a plane defined by the two perceptions as axes. A study by Loewenstein et al. In fact, if the two influences com- pete, feelings usually trump reason.
This characteristic of risk analysis is reinforced by prospect theory: studies of how people make decisions by using reason and feeling. Kahne- man and Tversky [KAH79] showed that people tend to overestimate the likelihood of rare, unexperienced events because their feelings of dread and the unknown usually dominate analytical reasoning about the low likeli- hood of occurrence. By contrast, if people experience similar outcomes and their likelihood, their feeling of dread diminishes and they can actually underestimate rare events.
In other words, if the impact of a rare event is high high dread , then people focus on the impact, regardless of the likeli- hood.
But if the impact of a rare event is small, then they pay attention to the likelihood. Let us look more carefully at the nature of a security threat. We have seen that one aspect—its potential harm—is the amount of damage it can cause; this aspect is the impact component of the risk.
A likely threat is not just one that someone might want to pull off but rather one that could actually occur. Some people might daydream about getting rich by robbing a bank; most, however, would reject that idea because of its difficulty if not its immo- rality or risk. One aspect of likelihood is feasibility: Is it even possible to accomplish the attack?
If the answer is no, then the likelihood is zero, and therefore so is the risk. So a good place to Spending for security is based on the start in assessing risk is to look at impact and likelihood of potential whether the proposed action is fea- harm—both of which are nearly sible.
Three factors determine feasi- impossible to measure precisely. Roughly speaking, method is the how; opportunity, the when; and motive, the why of an attack. Deny the attacker any of those three and the attack will not succeed.
Let us examine these properties individually. Method By method we mean the skills, knowledge, tools, and other things with which to per- petrate the attack. Think of comic figures that want to do something, for example, to steal valuable jewelry, but the characters are so inept that their every move is doomed to fail.
These people lack the capability or method to succeed, in part because there are no classes in jewel theft or books on burglary for dummies. Anyone can find plenty of courses and books about computing, however. Mass-market systems such as the Microsoft or Apple or Unix operating systems are readily available for purchase, as are common software products, such as word processors or database management systems, so potential attackers can even get hardware and software on which to experiment and perfect an attack.
Some manufac- turers release detailed specifications on how the system was designed or how it oper- ates, as guides for users and integrators who want to implement other complementary products. The term script kid- die describes someone who downloads a complete attack code package and needs only to enter a few details to identify the target and let the script perform the attack. Often, only time and inclination limit an attacker. Opportunity Opportunity is the time and access to execute an attack.
You hear that a fabulous apart- ment has just become available, so you rush to the rental agent, only to find someone else rented it five minutes earlier. You missed your opportunity. Many computer systems present ample opportunity for attack. Systems available to the public are, by definition, accessible; often their owners take special care to make them fully available so that if one hardware component fails, the owner has spares instantly ready to be pressed into service.
Other people are oblivious to the need to protect their computers, so unattended laptops and unsecured network connections give ample opportunity for attack. Some systems have private or undocumented entry points for administration or maintenance, but attackers can also find and use those entry points to attack the systems. Motive Finally, an attacker must have a motive or reason to want to attack. Why not? Because you have no reason to want to harm your neighbor: You lack motive.
We have already described some of the motives for computer crime: money, fame, self-esteem, politics, terror. It is often difficult to determine motive for an attack.
Other systems Method, opportunity, and motive are attacked because they are easy are all necessary for an attack to to attack. And some systems are succeed; deny any of these and the attacked at random simply because attack will fail. These factors give the advantage to the attacker because they are qualities or strengths the attacker must possess.
Another factor, this time giving an advantage to the defender, determines whether an attack will succeed: The attacker needs a vulnerability, an undefended place to attack. If the defender removes vulnerabilities, the attacker cannot attack. Think of a bank, with an armed guard at the front door, bulletproof glass protecting the tellers, and a heavy metal vault requiring mul- tiple keys for entry.
To rob a bank, you would have to think of how to exploit a weak- ness not covered by these defenses. For example, you might bribe a teller or pose as a maintenance worker.
Computer systems have vulnerabilities, too. In this book we consider many, such as weak authentication, lack of access control, errors in programs, finite or insufficient resources, and inadequate physical protection. Paired with a credible attack, each of these vulnerabilities can allow harm to confidentiality, integrity, or avail- Vulnerabilities are weaknesses that can ability. Each attack vector seeks to allow harm to occur. Thus, the attack surface includes physical hazards, malicious attacks by outsiders, stealth data theft by insiders, mistakes, and impersonations.
Although such attacks range from easy to highly improbable, analysts must consider all possibilities. Our next step is to find ways to block threats by neutralizing vulnerabilities. Harm occurs when a threat is realized against a vulnerability. To protect against harm, then, we can neutralize the threat, close the vulnerability, or both. The possibility for harm to occur is called risk. So, for exam- ple, we might try to prevent intrusions—but if we suspect we cannot prevent all of them, we might also install a detec- tion device to warn of an imminent Security professionals balance the cost attack.
And we should have in place and effectiveness of controls with the incident-response procedures to likelihood and severity of harm. In the Middle Ages, castles and fortresses were built to pro- tect the people and valuable property inside.
We may combine strong locks on the doors with a burglar alarm, reinforced windows, and even a nosy neighbor to keep an eye on our valuables. In each case, we select one or more ways to deter an intruder or attacker, and we base our selection not only on the value of what we protect but also on the effort we think an attacker or intruder will expend to get inside.
Computer security has the same characteristics. We have many controls at our dis- posal. Some are easier than others to use or implement. Some are cheaper than others to use or implement. And some are more difficult than others for intruders to override. Figure illustrates how we use a combination of controls to secure our valuable resources.
We use one or more controls, according to what we are protecting, how the cost of protection compares with the risk of loss, and how hard we think intruders will work to get what they want. In this section, we present an overview of the controls available to us. In the rest of this book, we examine how to use controls against specific kinds of threats. We can group controls into three largely independent classes. The following list shows the classes and several examples of each type of control.
To avoid con- fusion, we do not use that term. As shown in Figure , you can think in terms of the property to be protected and the kind of threat when you are choosing appropriate types of countermeasures. None of these classes is necessarily better than or preferable to the others; they work in dif- ferent ways with different kinds of results.
And it can be effective to use overlapping controls or defense in depth: more than one control or more than one class of control to achieve protection. Three principal parts of a computing system are subject to attacks: hardware, software, and data.
These three, and the communica- tions among them, are susceptible to computer security vulnerabilities. In turn, those people and systems interested in compromising a system can devise attacks that exploit the vulnerabilities. Alas, clever attackers realize this confusion, so they may make their attack seem like a simple, random failure. A vulnerability is a weakness through which harm could occur. These two problems combine: Either without the other causes no harm, but a threat exercising a vulnerability means damage.
To control such a situation, we can either block or diminish the threat, or close the vulnerability or both. Sometimes we fail to recognize a threat, or other times we may be unable or unwilling to close a vulnerability. Incomplete security is not a bad situation; rather, it demonstrates a balancing act: Control certain threats and vul- nerabilities, apply countermeasures that are reasonable, and accept the risk of harm from uncountered cases. Alas, none of these three is in short supply, which means attacks are inevitable.
In this chapter we have introduced the notions of threats and harm, vulnerabilities, attacks and attackers, and countermeasures. Attackers leverage threats that exploit vul- nerabilities against valuable assets to cause harm, and we hope to devise countermea- sures to eliminate means, opportunity, and motive. These concepts are the basis we need to study, understand, and master computer security. Countermeasures and controls can be applied to the data, the programs, the system, the physical devices, the communications links, the environment, and the personnel.
Sometimes several controls are needed to cover a single vulnerability, but sometimes one control addresses many problems at once. The rest of this book is organized around the major aspects or pieces of computer security. As you have certainly seen in almost daily news reports, computer security incidents abound. The nature of news is that failures are often reported, but seldom successes. You almost never read a story about hackers who tried to break into the com- puting system of a bank but were foiled because the bank had installed strong, layered defenses.
In fact, attacks repelled far outnumber those that succeed, but such good situ- ations do not make interesting news items. Still, we do not want to begin with examples in which security controls failed. Instead, in Chapter 2 we begin by giving you descriptions of three powerful and widely used security protection methods.
We call these three our security toolkit, in part because they are effective but also because they are applicable. We refer to these tech- niques in probably every other chapter of this book, so we want not only to give them a prominent position up front but also to help lodge them in your brain. Our three featured tools are identification and authentication, access control, and encryption.
After presenting these three basic tools we lead into domains in which computer secu- rity applies. We begin with the simplest computer situations, individual programs, and explore the problems and protections of computer code in Chapter 3. We also consider malicious code, such as viruses and Trojan horses defining those terms along with other types of harmful programs. As you will see in other ways, there is no magic that can make bad programs secure or turn programmers into protection gurus.
We do, however, point out some vulnerabilities that show up in computer code and describe ways to coun- ter those weaknesses, both during program development and as a program executes.
Modern computing involves networking, especially using the Internet. We focus first on how networked computing affects individuals, primarily through browsers and other basic network interactions such as email. In Chapter 4 we look at how users can be tricked by skillful writers of malicious code.
We also see how the strength of operating systems can be undermined by attacks, called rootkits, that directly target operating systems and render them unable to protect themselves or their users. We also study a type of attack called denial of service, just what its name implies, that is the first major example of a failure of availability.
We consider data, databases, and data mining in Chapter 7. Integrity of the data in the databases is also a significant concern. In Chapter 8 we move even further from the individual user and study cloud com- puting, a technology becoming quite popular. There are security risks involved in this movement, however.
You may have noticed our structure: We organize our presentation from the user out- ward through programs, browsers, operating systems, networks, and the cloud, a pro- gression from close to distant. In Chapter 9 we return to the user for a different reason: We consider privacy, a property closely related to confidentiality.
Our treatment here is independent of where the data are: on an individual computer, a network, or a database. Privacy is a property we as humans deserve, and computer security can help preserve it, as we present in that chapter. In Chapter 10 we look at several topics of management of computing as related to security. Security incidents occur, and computing installations need to be ready to respond, whether the cause is a hacker attack, software catastrophe, or fire.
Managers also have to decide what controls to employ, because countermeasures cost money that must be spent wisely. Computer security protection is hard to evaluate: When it works you do not know it does. Performing risk analysis and building a case for security are important management tasks.
Some security protections are beyond the scope an individual can address. Organized crime from foreign countries is something governments must deal with, through a legal system.
In Chapter 11 we consider laws affecting computer security. In Chapter 12 we return to cryptography, which we introduced in Chapter 2.
Cryp- tography merits courses and textbooks of its own, and the topic is detailed enough that most of the real work in the field is done at the graduate level and beyond. We use Chapter 2 to introduce the concepts enough to be able to apply them.
In Chapter 12 we expand upon that introduction and peek at some of the formal and mathematical under- pinnings of cryptography. Finally, in Chapter 13 we raise four topic areas. These areas are the so-called Internet of Things the interconnection of network-enabled devices from toasters to automobiles and insulin pumps , computer security economics, electronic voting, and computer- assisted terrorism and warfare. We trust this organization will help you to appreciate the richness of an important field that touches many of the things we depend on.
Distinguish between vulnerability, threat, and control. Theft usually results in some kind of harm. For example, if someone steals your car, you may suffer financial loss, inconvenience by losing your mode of transportation , and emotional upset because of invasion of your personal property and space. List three kinds of harm a company might experience from theft of computer equipment.
List at least three kinds of harm a company could experience from electronic espionage or unauthorized viewing of confidential company materials. List at least three kinds of damage a company could suffer when the integrity of a program or company data is compromised. List at least three kinds of harm a company could encounter from loss of service, that is, failure of availability. List the product or capability to which access is lost, and explain how this loss hurts the company.
Describe a situation in which you have experienced harm as a consequence of a failure of computer security. Was the failure malicious or not? Did the attack target you specifically or was it general and you were the unfortunate victim?
Describe two examples of vulnerabilities in automobiles for which auto manufacturers have instituted controls. Tell why you think these controls are effective, somewhat effective, or ineffective.
One control against accidental software deletion is to save all old versions of a program. Of course, this control is prohibitively expensive in terms of cost of storage. Suggest a less costly control against accidental software deletion. Is your control effective against all pos- sible causes of software deletion? If not, what threats does it not cover?
On your personal computer, who can install programs? Who can change operating system data? Who can replace portions of the operating system? Can any of these actions be per- formed remotely? Suppose a program to print paychecks secretly leaks a list of names of employees earning more than a certain amount each month.
What controls could be instituted to limit the vulner- ability of this leakage? Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication. How do the first three concepts relate to the last four? That is, is any of the four equivalent to one or more of the three?
Is one of the three encompassed by one or more of the four? Do you think attempting to break in to that is, obtain access to or use of a computing system without authorization should be illegal? Why or why not? Describe an example other than the ones mentioned in this chapter of data whose confiden- tiality has a short timeliness, say, a day or less.
Describe an example of data whose confidential- ity has a timeliness of more than a year. Do you currently use any computer security control measures?
If so, what? Against what attacks are you trying to protect? Describe an example in which absolute denial of service to a user that is, the user gets no response from the computer is a serious problem to that user. Could access by unauthorized people to a computing system result in a 10 percent denial of service to the legitimate users? When you say that software is of high quality, what do you mean? How does security fit in your definition of quality?
Developers often think of software quality in terms of faults and failures. Faults are problems for example, loops that never terminate or misplaced commas in statements that developers can see by looking at the code. Failures are problems, such as a system crash or the invoca- tion of the wrong function, that are visible to the user.
Thus, faults can exist in programs but never become failures, because the conditions under which a fault becomes a failure are never reached. How do software vulnerabilities fit into this scheme of faults and failures? Is every fault a vulnerability? Is every vulnerability a fault? Who might want to attack your program?
What types of harm might they want to cause? What kinds of vulnerabilities might they exploit to cause harm? Consider a program that allows consumers to order products from the web. Who might want to attack the program? What kinds of vulner- abilities might they exploit to cause harm? Consider a program to accept and tabulate votes in an election.
0コメント