Synopses & Reviews
This book contains a comprehensive introduction to security engineering the discipline of making systems resilient in the face of malice, error and mischance. While there are good books on many of the tools that security engineers use such as cryptography and computer access controls this is the first book that teaches how to use these tools intelligently to protect a wide range of systems.
A number of applications are described in some detail. These include the common electronic commerce protocols; copyright protection mechanisms (from pay-TV through DVD); the telephone system (including not just wireline phones but GSM and 3gpp); burglar alarms; medical record systems; banking systems (from automatic teller machines through branch bookkeeping to interbank money transfer); and a number of military systems (ranging from communications and logistics through electronic warfare). These are not just used to teach how tools such as cryptography should be applied, but a number of general system-level lessons such as what makes systems vulnerable to service denial attacks, and how to manage the trade-off between false alarms and missed alarms.
The book also provides a reference to a number of attack and defence technologies that are not covered well (or at all) in readily available books. These include anonymity systems (from anonymous remailers through de-identified medical databases); biometrics; security printing and seals; tamper-resistant electronics; emission security (from Tempest protection of PCs through power analysis attacks on smartcards). Although only a few dozen pages can be devoted to each topic, there are copious references for readers who need to learn more.
The third theme of the book is how the security engineering process can be managed. This includes topics ranging from cryptography policy, through the interaction of information security with economics, to what we can reasonably expect from evaluation and assurance.
Although it grew out of lectures in security given to students at Cambridge University, the material has been rewritten and expanded to be both self-contained and accessible to the working programmer or engineer. It can be used as a self-study guide, and read through from cover to cover; it can be used as a quick reference to particular applications or protection technologies; and it could also be used as a textbook. However, it is aimed solidly at the professional, rather than the academic, market.
Review
"While many of the chapter topics may sound unexciting, Anderson has a wonderful writing style and at times reads almost like a Tom Clancy thriller with its details of military command and control systems and other similar topics. Anyone responsible for information security should read Security Engineering." (UnixReview.com, July 2001)
"an eminently readable yet comprehensive book" (Network News, 12 September 2001)
Synopsis
"Security engineering is different from any other kind of programming. . . . if you're even thinking of doing any security engineering, you need to read this book."
— Bruce Schneier
"This is the best book on computer security. Buy it, but more importantly, read it and apply it in your work."
— Gary McGraw
This book created the discipline of security engineering
The world has changed radically since the first edition was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy — and as they specialize, they get better. New applications, from search to social networks to electronic voting machines, provide new targets. And terrorism has changed the world. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice.
Here's straight talk about
- Technical engineering basics— cryptography, protocols, access controls, and distributed systems
Types of attack— phishing, Web exploits, card fraud, hardware hacks, and electronic warfare
Specialized protection mechanisms— what biometrics, seals, smartcards, alarms, and DRM do, and how they fail
Security economics— why companies build insecure systems, why it's tough to manage security projects, and how to cope
Security psychology— the privacy dilemma, what makes security too hard to use, and why deception will keep increasing
Policy— why governments waste money on security, why societies are vulnerable to terrorism, and what to do about it
Synopsis
"If you're even thinking of doing any security engineering, you need to read this book. It's the first, and only, end-to-end modern security design and engineering book ever written."-Bruce Schneier
"Many people are anxious about Internet security for PCs and servers," says leading expert Ross Anderson, "as if that's all there is when in reality security problems have just begun. By 2003, there may be more mobile phones on the Net than PCs, and they will be quickly followed by network-connected devices from refrigerators to burglar alarms to heart monitors. How will we manage the risks?"
Dense with anecdotes and war stories, readable, up-to-date and full of pointers to recent research, this book will be invaluable to you if you have to design systems to be resilient in the face of malice as well as error. Anderson provides the tools and techniques you'll need, discusses what's gone wrong in the past, and shows you how to get your design right the first time around.
You don't need to be a security expert to understand Anderson's truly accessible discussion of:
* Security engineering basics, from protocols, cryptography, and access controls to the nuts and bolts of distributed systems
* The lowdown on biometrics, tamper resistance, security seals, copyright marking, and many other protection technologies-for many of them, this is the first detailed information in an accessible textbook
* What sort of attacks are done on a wide range of systems-from banking and medical records through burglar alarms and smart cards to mobile phones and e-commerce-and how to stop them
* Management and policy issues-how computer security interacts with the law and with corporate culture
Synopsis
"Security engineering is different from any other kind of programming. . . . if you're even thinking of doing any security engineering, you need to read this book."
Bruce Schneier
"This is the best book on computer security. Buy it, but more importantly, read it and apply it in your work."
Gary McGraw
This book created the discipline of security engineering
The world has changed radically since the first edition was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. New applications, from search to social networks to electronic voting machines, provide new targets. And terrorism has changed the world. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice.
Ross Anderson is Professor of Security Engineering at Cambridge University and a pioneer of security economics. Widely recognized as one of the world's foremost authorities on security, he has published many studies of how real security systems fail and made trailblazing contributions to numerous technologies from peer-to-peer systems and API analysis through hardware security.
Here's straight talk about
- Technical engineering basics cryptography, protocols, access controls, and distributed systems
Types of attack phishing, Web exploits, card fraud, hardware hacks, and electronic warfare
Specialized protection mechanisms what biometrics, seals, smartcards, alarms, and DRM do, and how they fail
Security economics why companies build insecure systems, why it's tough to manage security projects, and how to cope
Security psychology the privacy dilemma, what makes security too hard to use, and why deception will keep increasing
Policy why governments waste money on security, why societies are vulnerable to terrorism, and what to do about it
Synopsis
The first quick reference guide to the do's and don'ts of creating high quality security systems.
Ross Anderson, widely recognized as one of the world's foremost authorities on security engineering, presents a comprehensive design tutorial that covers a wide range of applications. Designed for today's programmers who need to build systems that withstand malice as well as error (but have no time to go do a PhD in security), this book illustrates basic concepts through many real-world system design successes and failures. Topics range from firewalls, through phone phreaking and copyright protection, to frauds against e-businesses. Anderson's book shows how to use a wide range of tools, from cryptology through smartcards to applied psychology. As everything from burglar alarms through heart monitors to bus ticket dispensers starts talking IP, the techniques taught in this book will become vital to everyone who wants to build systems that are secure, dependable and manageable.
Description
Includes bibliographical references (p. 545-593) and index.
About the Author
Ross Anderson teaches and directs research in security, cryptography and software engineering at Cambridge University, England. He is recognized as one of the world's leading authorities on security engineering, and has published extensive studies on how real security systems fail on bank card fraud, phone phreaking, pay-TV hacking, ways to cheat metering systems and breaches of medical privacy. His paper on the "Eternity Service" has been one of the inspirations for recent developments in peer-to-peer networking, such as gnutella and mojonation, while his writings on subjects such as Tempest and tamper-resistance have become standard references.
He graduated in mathematics and natural science in 1978, got a qualification in computer engineering, and worked with a number of systems from avionics to banking and from burglar alarms to vehicle monitoring systems. He moved to Cambridge University in 1992, earned a doctorate in computer security, and joined the faculty. He has consulted to a wide range of organizations, large and small, and been an expert witness in a number of the critical court cases that have influenced the development of the industry.
Table of Contents
'Preface to the Second Edition.
Foreword by Bruce Schneier.
Preface.
Acknowledgments.
Part I.
Chapter 1 What Is Security Engineering?
Chapter 2 Usability and Psychology.
Chapter 3 Protocols.
Chapter 4 Access Control.
Chapter 5 Cryptography.
Chapter 6 Distributed Systems.
Chapter 7 Economics.
Part II.
Chapter 8 Multilevel Security.
Chapter 9 Multilateral Security.
Chapter 10 Banking and Bookkeeping.
Chapter 11 Physical Protection.
Chapter 12 Monitoring and Metering.
Chapter 13 Nuclear Command and Control.
Chapter 14 Security Printing and Seals.
Chapter 15 Biometrics.
Chapter 16 Physical Tamper Resistance.
Chapter 17 Emission Security.
Chapter 18 API Attacks.
Chapter 19 Electronic and Information Warfare.
Chapter 20 Telecom System Security.
Chapter 21 Network Attack and Defense.
Chapter 22 Copyright and DRM.
Chapter 23 The Bleeding Edge.
Part III.
Chapter 24 Terror, Justice and Freedom.
Chapter 25 Managing the Development of Secure Systems.
Chapter 26 System Evaluation and Assurance.
Chapter 27 Conclusions.
Bibliography.
Index. \n
'