| William Stallings拥有美国麻省理工学院计算机科学博士学位,现任教于澳大利亚新南威尔士大学国防学院(堪培拉)信息技术与电子工程系。他是世界知名计算机学者和畅销教材作者,已经撰写了17部著作,出版了40多本书籍。内容涉及计算机安全、计算机网络和计算机体系结构等方面,堪称计算机界的全才。他曾九次荣获美国“教材和学术专著作者协会”颁发的“年度最佳计算机科学教材”奖。 Lawrle Brown任教于澳大利亚新南威尔士大学国防学院(堪培拉)信息技术与电子工程系。他的专业兴趣涉及密码学、通信和计算机系统安全。 |
| Preface v About the Authors ix Notation x Acronyms xi Chapter 0 Reader's and Instructor's Guide 1 0.1 Outline of the Book 2 0.2 A Roadmap for Readers and Instructors 3 0.3 Internet and Web Resources 3 0.4 Standards 5 Chapter 1 Overview 6 1.1 Computer Security Concepts 7 1.2 Threats, Attacks, and Assets 14 1.3 Security Functional Requirements 20 1.4 A Security Architecture for Open Systems 22 1.5 The Scope of Computer Security 27 1.6 Computer Security Trends 28 1.7 Computer Security Strategy 32 1.8 Reconunended Reading andWeb Sites 34 1.9 Key Terms, Review Questions, and Problems 36 Appendix: 1A Significant Security Standards and Documents 37 PART ONE COMPUTER SECURITY TECHNOLOGY AND PRINCIPLES 40 Chapter 2 Cryptographic Tools 41 2.1 Confidentiality with Symmetric Encryption 42 2.2 Message Authentication and Hash Functions 49 2.3 Public-Key Encryption 56 2.4 Digital Signatures and Key Management 61 2.5 Random and Pseudorandom Numbers 65 2.6 Practical Application: Encryption of Stored Data 67 2.7 Recommended Reading and Web Sites 68 2.8 Key Terms, Review Questions, and Problems 69 Chapter 3 User Authentication 74 3.1 Means of Authentication 75 3.2 Password-Based Authentication 76 3.3 Token-Based Authentication 88 3.4 Biometric Authentication 92 3.5 Remote User Authentication 97 3.6 Security Issues for User Authentication 99 3.7 Practical Application: An Iris Biometric System 101 3.8 Case Study: Security Problems for ATM Systems 103 3.9 Recommended Reading and Web Sites 106 3.10 Key Terms, Review Questions, and Problems 107 Chapter 4 Access Control 110 4.1 Access Control Principles 111 4.2 Subjects, Objects, and Access Rights 115 4.3 Discretionary Access Control 116 4.4 Example: UNIX File Access Control 122 4.5 Role-Based Access Control 125 4.6 Case Study: RBAC System for a Bank 134 4.7 Recommended Reading andWeb Sites 137 4.8 KeyTerms, Review Questions, and Problems 138 Chapter 5 Database Security 142 5.1 Database Management Systems 143 5.2 Relational Databases 144 5.3 Database Access Control 148 5.4 Inference 153 5.5 Statistical Databases 156 5.6 Database Encryption 166 5.7 Recommended Reading 170 5.8 Key Terms, Review Questions and Problems 171 Chapter 6 Intrusion Detection 176 6.1 Intruders 177 6.2 Intrusion Detecuon 181 6.3 ttost-Based Intrusion Detection 183 6.4 Distributed Host-Based Intrusion Detection 190 6.5 Network-Based Intrusion Detection 193 6.6 Distributed Adaptive Intrusion Detection 197 6.7 Intrusion Detection Exchange Format 200 6.8 Honeypots 202 6.9 Example System: Snort 204 6.10 Recommended Reading and Web Sites 208 6.11 Key Terms, Review Questions, and Problems 209 Appendix 6A:The Base-Rate Fallacy 211 Chapter 7 Malicious Software 215 7.1 Types of Malicious Software 216 7.2 Viruses 220 7.3 Virus Countermeasures 226 7.4 Worms 231 7.5 Bots 240 7.6 Rootkits 242 7.7 Recommended Reading and Web Sites 245 7.8 Key Terms, Review Questions, and Problems 246 Chapter 8 Denial of Service 249 8.1 Denial of Service Attacks 250 8.2 Flooding Attacks 257 8.3 Distributed Denial of Service Attacks 259 8.4 Reflector and Amplifier Attacks 261 8.5 Defenses Against Denial of Service Attacks 265 8.6 Responding to a Denial of Service Attack 269 8.7 Recommended Reading andWeb Sites 270 8.8 Key Terms, Review Questions, and Problems 271 Chapter 9 Firewalls and Intrusion Prevention Systems 273 9.1 The Need for Firewalls 274 9.2 FirewaU Characteristics 275 9.3 Types of Firewalls 276 9.4 FirewaLl Basing 283 9.5 Firewall Location and Configurations 286 9.6 Intrusion Prevention Systems 291 9.7 Example: UnifiedThreat Management Products 294 9.8 Recommended Reading and Web Sites 298 9.9 Key Terms, Review Questions, and Problems 299 Chapter 10 Trusted Computing and Multilevel Security 303 10.1 The Bell-LaPadula Model for Computer Security 304 10.2 Other Formal Models for Computer Security 314 10.3 The Concept of Trusted Systems 320 10.4 Application of Multilevel Security 323 10.5 Trusted Computing and theTrusted Platform Module 330 10.6 Common Criteria for Information Technology Security Evaluation 334 10.7 Assurance and Evaluation 340 10.8 Recommended Reading and Web Sites 345 10.9 Key Terms, Review Questions, and Problems 346 PART TWO SOFTWARE SECURITY 349 Chapter 11 Buffer Overflow 350 11.1 Stack Overflows 352 11.2 Defending Against Buffer Overflows 373 11.3 Other Forms of Overflow Attacks 379 11.4 Recommended Reading and Web Sites 385 11.5 Key Terms, Review Questions, and Problems 386 Chapter 12 Other Software Security Issues 388 12.1 Software Security Issues 389 12.2 Handling Program Input 392 12.3 Writing Safe Program Code 403 12.4 Interacting with the Operating System and Other Programs 408 12.5 Handling Program Input 419 12.6 Recommended Reading andWeb Sites 422 12.7 Key Terms, Review Questions, and Problems 423 pART THREE MANAGEMENT ISSUES 426 Chapter 13 physical and Infrastructure Security 427 13.1 Overview 428 13.2 Physical Security Threats 429 15.3 Physical Security Prevention and Mitigation Measures 435 15.4 Recovery from Physical Security Breaches 438 13.5 Threat Assessment, Planning, and Plan Implementation 439 13.6 Example:A Corporate Physical Security Policy 440 13.7 Integration of Physical and Logical Security 44l 13.8 Recommended Reading and Web Sites 446 13.9 Key Terms, Revaew Questions, and Problems 447 Chapter 14 Human Factors 449 14.1 Security Awareness, Training, and Education 450 14.2 Organizational Security Policy 455 14.3 Employment Practices and Policies 461 14.4 E-Mail and internet Use Policies 464 14.5 Example:A Corporate Security Policy Document 465 14.6 Recommended Reading and Web Sites 467 14.7 Key Terms, Review Questions, and Problems 468 Appendix 14A: Security Awareness Standard of Good Practice 469 Appendix 14B: Security Policy Standard of Good Practice 473 Chapter 15 Security Auditing 475 15.1 Security Auditing Architecture 476 15.2 The Security Audit Trail 481 15.3 Implementing the Logging Function 486 15.4 Audit Trail Analysis 497 15.5 Example: An Integrated Approach 501 15.6 Recommended Reading and Web Sites 504 15.7 Key Terms, Review Questions, and Problems 505 Chapter 16 IT Security Management and Risk Assessment 508 16.1 IT Security Management 509 16.2 Organizational Context and Security Policy 512 16.3 Security Risk Assessment 515 16.4 Detailed Security Risk Analysis 518 16.5 Case Study: Silver Star Mines 530 16.6 Recommended Reading and Web Sites 534 16.7 Key Terms, Review Questions, and Problems 536 Chapter 17 IT Security Controls, Plans and Procedures 538 17.1 IT Security Management Implementation 539 17.2 Security Controls or Safeguards 539 17.3 IT Security Plan 547 17.4 Implementation of Controls 548 17.5 Implementation Followup 550 17.6 Case Study: Silver Star Mines 556 17.7 Recommended R. eading 559 17.8 Key Terms, Review Questions, and Problems 559 Chapter 18 Legal and Ethical Aspects 562 18.1 Cyhercrime and Computer Crime 563 18.2 Intellectual Property 567 18.3 Privacy 574 18.4 Ethical Issues 580 18.5 Recommended Reading andWeb Sites 586 18.6 KeyTerms, Review Questions, and Problems 587 Appendix 18A: Information Privacy Standard of Good Practice 590 PART FOUR CRYPTOGRAPHIC ALGORITHMS 592 Chapter 19 Symmetric Encryption and Message Confidentiality 593 19.1 Symmetric Encryption and Message Confidentiality 594 19.2 Data Encryption Standard 598 19.3 Advanced Encryption Standard 600 19.4 Stream Ciphers and RC4 607 19.5 Cipher Block Modes of Operation 610 19.6 Location of Symmetric Encrypfion Devices 616 19.7 Key Distribution 618 19.8 Recommended Reading andWeb Sites 620 19.9 Key Terms Review Questions, and Problems 620 Chapter 20 Public-Key Cryptography and Message Authentication 625 20.1 Secure Hash Functions 626 20.2 HMAC 632 20.3 The KSA Public-Key Encryption Algorithm 635 20.4 Diffie-Hellman and Other Asymmetric Algorithms 641 20.5 Recommended Reading and Web Sites 646 20.6 Key Terms, Review Questions, and Problems 646 PART FIVE INTERNET SECURITY 650 Chapter 21 Internet Security Protocols and Standards 651 21.1 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 652 21.2 IPv4 and IPv6 Security 656 21.3 Secure Email and S/MIME 662 21.4 Recommended Reading and Web Sites 665 21.5 Key Terms, Review Questions, and Problems 666 Appendix 21A: Radix-64 Conversion 668 Chapter 22 Internet Authentication Applications 671 22.1 Kerberos 672 22.2 X.509 678 22.3 Public-Key Infrastructure 680 22.4 Federated Identity Management 683 22.5 Recommended Reading and Web Sites 687 22.6 Key Terms, Review Questions, and Problems 688 PART SIX OPERATING SYSTEM SECURITY 689 Chapter 23 Linux Security 690 23.1 Introduction 691 23.2 Linux's Security Model 691 23.3 The Linux DAC in Depth: Filesystem Security 693 23.4 Linux Vulnerabilities 699 23.5 Linux System Hardening 701 23.6 Application Security 709 23.7 Mandatory Access Controls 711 23.8 Recommended Reading and Web Sites 711 23.9 Key Terms, Review Questions, and Problems 718 Chapter 24 Windows and Windows Vista Security 720 24.1 Windows Security Architecture 721 24.2 Windows Vuln erabilities 728 24.3 Windows Security Defenses 729 24.4 Browser Defenses 737 24.5 Cryptographic Services 737 24.6 Common Criteria 738 24.7 Recommended Reading andWeb Sites 739 24.8 Key Terms, Review Questions, Problems, and Projects 740 APPENDICES Appendix A Some Aspects of Number Theory 742 A.1 Prime and Relatively Prime Numbers 743 A.2 Modular Arithmetic 744 A.3 Fermat's and Euler's Theorems 746 Appendix B Random and Pseudorandom Number Generation 750 B.1 The Use of Random Numbers 751 B.2 Pseudorandom Number Generators (PRNGs) 752 B.3 True Random Number Generators 757 Appendix C Projects for Teaching Computer Security 759 C.1 Research Projects 760 C.2 Hacking Projects 761 C.3 Programming Projects 761 C.4 Laboratory Exercises 762 C.5 Practical Security Assessments 762 C.6 Writing Assignments 762 C.7 Reading/Report Assignments 763 References 765 Index 783 ONLINE APPENDICES Appendix D Standards and Standard-Setting Organizations D.1 The Importance of Standards D.2 Internet Standards and the Internet Society D.3 National Institute of Standards and Technology D.4 The International Telecommunication Union D.5 The International Orgamzation for Standardization Appendix E TCP/IP Protocol Architecture E.1 TCP/IP Layers E.2 TCP and UDP E.3 Operation of TCP/IP E.4 TCP/IP Applications Appendix F Glossary |
内容加载中,请稍后...
商品评论(0条)