关于信息安全的经典指南——包含最新型攻击及其对策
本书系统地讲述了如何保证数据的机密性、完整性,如何控制应用程序。数据库、操作系统和网络的可用性。本书不仅涵盖了所有技术问题,而且还涉及安全性的其他方面,如法律、隐私、道德、管理等。
本书反映了当今新一代的安全威胁和安全策略,并提供了实际指导。
本书特色
无线安全、入侵检测、AES、DRM、生物鉴定学、蜜罐。在线保密等。
新型攻击——包括脚本脆弱性探测、拒绝服务和缓冲区溢出的征兆和应对方法。
密码学的入门介绍。
如何加强程序安全。
详细阐述通用和可信任操作系统的设计与保护措施。
丰富的教学资源——每章后面都给出了关键术语、复习题和练习题。权威参考书。
Charles P.Pfleeger是Cable & Wireless公司的首席安全架构师。他主要负责向客户提供安全设计、网络应用和架构的实现技术。
Shari Lawrence Pfleeger是RAND的高级研究员,她撰写了8本关于软件工程、软件测量和软件质量方面的著作,被《The Journal of Systems and Software》杂志评为世界一流的软件工程研究员。
In the 1950s and 1960s, the prominent conference gathering places for practitioners and users of computer technology were the twice yearly Joint Computer Conferences (JCCs)--initially called the Eastern and Western JCCs, but later renamed the Spring and Fall JCCs and even later, the annual National (AFIPS) Computer Conference. From this milieu, the topic of computer security--later to be called information system security and currently also referred to as "protection of the national information infrastructure"--moved from the world of classified defense interests into public view.
A few people--Robert L. Patrick, John P. Haverty, and myself among others--all then at The RAND Corporation (as its name was then known) had been talking about the growing dependence of the country and its institutions on computer technology. It concerned us that the installed systems might not be able to protect themselves and their data against intrusive and destructive attacks. We decided that it was time to bring the security aspect of computer systems to the attention of the technology and user communities.
The enabling event was the development within the National Security Agency (NSA) of a remote-access time-sharing system with a full set of security access controls, running on a Univac 494 machine, and serving terminals and users not only within the headquarters building at Fort George G. Meade, Maryland, but also worldwide. Fortuitously,I knew details of the system.
Persuading two others from RAND to help--Dr. Harold Peterson and Dr. Rein Turn--plus Bernard Peters of NSA, I organized a group of papers and presented it to the SJCC conference management as a ready-made additional paper session to be chaired by me.
[1] The conference accepted the offer, and the session was presented at the Atlantic City(NJ) Convention Hall in 1967.
Soon thereafter and driven by a request from a defense contractor to include both defense classified and business applications concurrently in a single mainframe machine functioning in a remote-access mode, the Department of Defense, acting through the Advanced Research Projects Agency (ARPA) and later the Defense Science Board (DSB),organized a committee, which I chaired, to study the issue of security controls for computer systems. The intent was to produce a document that could be the basis for formulating a DoD policy position on the matter.
The report of the committee was initially published as a classified document and was formally presented to the sponsor (the DSB) in January 1970. It was later declassified and
republished (by The RAND Corporation) in October 1979. [2] It was widely circulated and became nicknamed "the Ware report." The report and a historical introduction are available on the RAND web site. [3]
Subsequently, the United States Air Force (USAF) sponsored another committee chaired by James P. Anderson. [4] Its report, published in 1972, recommended a 6-year R&D security program totaling some $8M. [5] The USAF responded and funded several projects, three of which were to design and implement an operating system with security controls for a specific computer.
Eventually these activities led to the "Criteria and Evaluation" program sponsored by the NSA. It culminated in the "Orange Book" [6] in 1983 and subsequently its supporting array of documents, which were nicknamed "the rainbow series." [7] Later, in the 1980s and on into the 1990s, the subject became an international one leading to the ISO standard known as the "Common Criteria." [8]
It is important to understand the context in which system security was studied in the early decades. The defense establishment had a long history of protecting classified information in document form. It had evolved a very elaborate scheme for compartmenting material into groups, sub-groups and super-groups, each requiring a specific personnel clearance and need-to-know as the basis for access. [9] It also had a centuries-long legacy of encryption technology and experience for protecting classified information in transit. Finally, it understood the personnel problem and the need to establish the trustworthiness of its people. And it certainly understood the physical security matter.
Thus, "the" computer security issue, as it was understood in the 1960s and even later,was how to create in a computer system a group of access controls that would implement
or emulate the processes of the prior paper world, plus the associated issues of protecting such software against unauthorized change, subversion and illicit use, and of embedding the entire system in a secure physical environment with appropriate management oversights and operational doctrine and procedures. The poorly understood aspect of security was primarily the software issue with, however, a collateral hardware aspect; namely, the risk that it might malfunction--or be penetrated--and subvert the proper behavior of software. For the related aspects of communications, personnel, and physical security, there was a plethora of rules, regulations, doctrine and experience to cover them. It was largely a matter of merging all of it with the hardware/software aspects to yield an overall secure system and operating environment.
However, the world has now changed and in essential ways. The desk-top computer and workstation have appeared and proliferated widely. The Intemet is flourishing and the reality of a World Wide Web is in place. Networking has exploded and communication among computer systems is the rule, not the exception. Many commercial transactions are now web-based; many commercial communities--the financial one in particular--have moved into a web posture. The "user" of any computer system can literally be anyone in the world. Networking among computer systems is ubiquitous;
information-system outreach is the goal.
The net effect of all of this has been to expose the computer-based information system-its hardware, its software, its software processes, its databases, its communications-to an environment over which no one--not end-user, not network administrator or system owner, not even government--has control. What must be done is to provide appropriate technical, procedural, operational and environmental safeguards against threats as they might appear or be imagined, embedded in a societally acceptable legal framework.
And appear threats did--from individuals and organizations, national and international. The motivations to penetrate systems for evil purpose or to create malicious software--generally with an offensive or damaging consequence--vary from personal intellectual satisfaction to espionage, to financial reward, to revenge, to civil disobedience, and to other reasons. Information-system security has moved from a largely selfcontained bounded environment interacting with a generally known and disciplined user community to one of worldwide scope with a body of users that may not be known and are not necessarily trusted. Importantly, security controls now must deal with circumstances over which there is largely no control or expectation of avoiding their impact.
Computer security, as it has evolved, shares a similarity with liability insurance; they each face a threat environment that is known in a very general way and can generate attacks over a broad spectrum of possibilities; but the exact details or even time or certainty of an attack is unknown until an event has occurred.
On the other hand, the modern world thrives on information and its flows; the contemporary world, society and institutions cannot function without their computercommunication-based information systems. Hence, these systems must be protected in all dimensions--technical, procedural, operational, environmental. The system owner and its staff have become responsible for protecting the organization's information assets.
Progress has been slow, in large part because the threat has not been perceived as real or as damaging enough; but also in part because the perceived cost of comprehensive information system security is seen as too high compared to the risks---especially the financial consequences---of not doing it. Managements, whose support with appropriate funding is essential, have been slow to be convinced.
This book addresses the broad sweep of issues above: the nature of the threat and system vulnerabilities (Chapter 1); cryptography (Chapters 2 and 10); the Common Criteria (Chapter 5); the World Wide Web and Internet (Chapter 7); managing risk (Chapter 8); software vulnerabilities (Chapter 3); and legal, ethical and privacy issues (Chapter 9).
The book also describes security controls that are currently available such as encryption protocols, software development practices, firewalls, and intrusion-detection systems.
Overall, this book provides a broad and sound foundation for the information-system specialist who is charged with planning and/or organizing and/or managing and/or implementing a comprehensive information-system security program.
Yet to be solved are many technical aspects of information security--R&D for hardware, software, systems, and architecture; and the corresponding products. Notwith standing, technology per se is not the long pole in the tent of progress. Organizational and management motivation and commitment to get the security job done is. Today, the collective information infrastructure of the country and of the world is slowly moving up the learning curve; every mischievous or malicious event helps to push it along. The terrorism-based events of recent times are helping to drive it. Is it far enough up the curve to have reached an appropriate balance between system safety and threat Almost certainly, the answer is "no, not yet; there is a long way to go." [10]
Willis H. Ware,RAND
Santa Monica, California
September 2002
Foreword
Preface to the Third Edition
Chapter 1 Is There a Security Problem in Computing
1.1 What Does "Secure" Mean
Protecting Valuables
Characteristics of Computer Intrusion
1.2 Attacks
Threats, Vulnerabilities, and Controls
Method, Opportunity, and Motive
1.3 The Meaning of Computer Security
Security Goals
Vulnerabilities
1.4 Computer Criminals
Amateurs
Crackers
Career Criminals
1.5 Methods of Defense
Controls
Effectiveness of Controls
1.6 What's Next
Encryption Overview
Hardware and Software Security
Human Controls in Security
Encryption In-Depth
1.7 Summary
1.8 Terms and Concepts
1.9 Where the Field Is Headed
1.10 To Learn More
1.11 Exercises
Chapter 2 Elementary Cryptography
2.1 Terminology and Background
Terminology
Representing Characters
2.2 Substitution Ciphers
The Caesar Cipher
Other Substitutions
One-Time Pads
Summary of Substitutions
2.3 Transpositions (Permutations)
Columnar Transpositions
Combinations of Approaches
2.4 Making "Good" Encryption Algorithms
What Makes a "Secure" Encryption Algorithm
Symmetric and Asymmetric Encryption Systems
Stream and Block Ciphers
Confusion and Diffusion
Cryptanalysis--Breaking Encryption Schemes
2.5 The Data Encryption Standard (DES)
Background and History
Overview of the DES Algorithm
Double and Triple DES
Security of the DES
2.6 The AES Encryption Algorithm
The AES Contest
Overview of Rijndael
Strength of the Algorithm
Comparison of DES and AES
2.7 Public Key Encryption
Motivation
Characteristics
Rivest-Shamir-Adelman (RSA) Encryption
2.8 The Uses of Encryption
Cryptographic Hash Functions
Key Exchange
Digital Signatures
Certificates
2.9 Summary of Encryption
2.10 Terms and Concepts
2.11 Where the Field Is Headed
2.12 To Learn More
2.13 Exercises
Chapter 3 Program Security
3.1 Secure Programs
Fixing Faults
Unexpected Behavior
Types of Flaws
3.2 Nonmalicious Program Errors
Buffer Overflows
Incomplete Mediation
Time-of-Check to Time-of-Use Errors
Combinations of Nonmalicious Program Flaws
3.3 Viruses and Other Malicious Code
Why Worry About Malicious Code
Kinds of Malicious Code
How Viruses Attach
Document Viruses
How Viruses Gain Control
Homes for Viruses
Virus Signatures
The Source of Viruses
Prevention of Virus Infection
Truths and Misconceptions About Viruses
First Example of Malicious Code: The Brain Virus
Another Example: The Internet Worm
More Malicious Code: Code Red
Malicious Code on the Web: Web Bugs
3.4 Targeted Malicious Code
Trapdoors
Salami Attacks
Covert Channels: Programs That Leak Information
3.5 Controls Against Program Threats
Developmental Controls
Operating System Controls on Use of Programs
Administrative Controls
Program Controls in General
3.6 Summary of Program Threats and Controls
3.7 Terms and Concepts
3.8 Where the Field Is Headed
3.9 To Learn More
3.10 Exercises
Chapter 4 Protection in General-Purpose Operating Systems
4.1 Protected Objects and Methods of Protection
A Bit of History
Protected Objects
Security Methods of Operating Systems
4.2 Memory and Address Protection
Fence
Relocation
Base/Bounds Registers
Tagged Architecture
Segmentation
Paging
Combined Paging with Segmentation
4.3 Control of Access to General Objects
Directory
Access Control List
Access Control Matrix
Capability
Procedure-Oriented Access Control
4.4 File Protection Mechanisms
Basic Forms of Protection
Single Permissions
Per-Object and Per-User Protection
4.5 User Authentication
Use of Passwords
Attacks on Passwords
Password Selection Criteria
The Authentication Process
Authentication Other Than Passwords
4.6 Summary of Security for Users
4.7 Terms and Concepts
4.8 Where the Field Is Headed
4.9 To Learn More
4.10 Exercises
Chapters Designing Trusted Operating Systems
5.1 What Is a Trusted System
5.2 Security Policies
Military Security Policy
Commercial Security Policies
5.3 Models of Security
Multilevel Security
Models Proving Theoretical Limitations
of Security Systems
Summary of Models of Protection Systems
5.4 Trusted Operating System Design
Trusted System Design Elements
Security Features of Ordinary Operating Systems
Security Features of Trusted Operating Systems
Kernelized Design
Separation/Isolation
Virtualization
Layered Design
5.5 Assurance in Trusted Operating Systems
Typical Operating System Flaws
Assurance Methods
Open Source
Evaluation
5.6 Implementation Examples
General-Purpose Operating Systems
Operating Systems Designed for Security
5.7 Summary of Security in Operating Systems
5.8 Terms and Concepts
5.9 Where the Field Is Headed
5.10 To Learn More
5.11 Exercises
Chapter 6 Database Security
6.1 Introduction to Databases
Concept of a Database
Components of Databases
Advantages of Using Databases
6.2 Security Requirements
Integrity of the Database
Element Integrity
Auditability
Access Control
User Authentication
Availability
Integrity/ConfidentialitylAvailability
6.3 Reliability and Integrity
Protection Features from the Operating System
Two-Phase Update
Redundancy/Internal Consistency
Recovery
Concurrency/Consistency
Monitors
Summary of Data Reliability
6.4 Sensitive Data
Access Decisions
Types of Disclosures
Security versus Precision
6.5 Inference
Direct Attack
Indirect Attack
Aggregation
6.6 Multilevel Databases
The Case for Differentiated Security
Granularity
Security Issues
6.7 Proposals for Multilevel Security
Separation
Designs of Multilevel Secure Databases
Concluding Remarks
6.8 Summary of Database Security
6.9 Terms and Concepts
6.10 Where the Field Is Headed
6.11 To Learn More
6.12 Exercises
Chapter 7 Security in Networks
7.1 Network Concepts
The Network
Media
Protocols
Types of Networks
Topologies
Distributed Systems
APIs
Advantages of Computing Networks
7.2 Threats in Networks
What Makes a Network Vulnerable
Who Attacks Networks
Threat Precursors
Threats in Transit: Eavesdropping and Wiretapping
Protocol Flaws
Impersonation
Spoofing
Message Confidentiality Threats
Message Integrity Threats
Web Site Defacement
Denial of Service
Distributed Denial of Service
Threats to Active or Mobile Code
Complex Attacks
Summary of Network Vulnerabilities
7.3 Network Security Controls
Security Threat Analysis
Design and Implementation
Architecture
Encryption
Content Integrity
Strong Authentication
Access Controls
Alarms and Alerts
Honeypots
Traffic Flow Security
Controls Review
7.4 Firewalls
What Is a Firewall
Design of Firewalls
Types of Firewalls
Personal Firewalls
Comparison of Firewall Types
Example Firewall Configurations
What Firewalls Can--and Cannot--Block
7.5 Intrusion Detection Systems
Types of IDSs
Goals for Intrusion Detection Systems
IDS Strengths and Limitations
7.6 Secure E-Mail
Security for E-Mail
Designs
Example Secure E-Mail Systems
7.7 Summary of Network Security
7.8 Terms and Concepts
7.9 Where the Field Is Headed
7.10 To Learn More
7.11 Exercises
Chapter 8 Administering Security
8.1 Security Planning
Contents of a Security Plan
Security Planning Team Members
Assuring Commitment to a Security Plan
Business Continuity Plans
Incident Response Plans
8.2 Risk Analysis
The Nature of Risk
Steps of a Risk Analysis
Arguments For and Against Risk Analysis
8.3 Organizational Security Policies
Purpose
Audience
Contents
Characteristics of a Good Security Policy
Examples
Policy Issue Example: Government E-Mail
8.4 Physical Security
Natural Disasters
Power Loss
Human Vandals
Interception of Sensitive Information
Contingency Planning
Physical Security Recap
8.5 Summary
8.6 Terms and Concepts
8.7 To Learn More
8.8 Exercises
Chapter 9 Legal, Privacy, and Ethical Issues in Computer Security
9.1 Protecting Programs and Data
Copyrights
Patents
Trade Secrets
Protection for Computer Objects
9.2 Information and the Law
Information as an Object
Legal Issues Relating to Information
Protecting Information
Summary of Protection for Computer Artifacts
9.3 Rights of Employees and Employers
Ownership of Products
9.4 Software Failures
Selling Correct Software
Reporting Software Flaws
9.5 Computer Crime
Why a Separate Category for Computer Crime Is Needed
Why Computer Crime Is Hard to Define
Why Computer Crime Is Hard to Prosecute
Examples of Statutes
International Dimensions
Why Computer Criminals Are Hard to Catch
What Computer Crime Does Not Address
Cryptography and the Law
Summary of Legal Issues in Computer Security
9.6 Privacy
Threats to Privacy
Controls Protecting Privacy
9.7 Ethical Issues in Computer Security
Differences Between the Law and Ethics
Studying Ethics
Ethical Reasoning
9.8 Case Studies of Ethics
Case I: Use of Computer Services
Case II: Privacy Rights
Case III: Denial of Service
Case IV: Ownership of Programs
Case V: Proprietary Resources
Case VI: Fraud
Case VII: Accuracy of Information
Case VIII: Ethics of Hacking or Cracking
Codes of Ethics
Conclusion of Computer Ethics
9.9 Terms and Concepts
9.10 To Learn More
9.11 Exercises
Chapter 10 Cryptography Explained
10.1 Mathematics for Cryptography
Complexity
Properties of Arithmetic
10.2 Symmetric Encryption
Fundamental Concepts
Data Encryption Standard (DES)
Advanced Encryption Standard (AES)
10.3 Public Key Encryption Systems
Characteristics
Merkle-Hellman Knapsacks
Rivest-Shamir-Adelman (RSA) Encryption
El Gamal and Digital Signature Algorithms
10.4 Quantum Cryptography
Quantum Physics
Photon Reception
Cryptography with Photons
Implementation
10.5 Summary of Encryption
10.6 Terms and Concepts
10.7 Where the Field Is Headed
10.8 To Learn More
10.9 Exercises
Bibliography
Index
