Synopses & Reviews
There's a lot more consciousness of security today, but not a lot of understanding of what it means and how far it should go. No one loves security, but most people---managers, system administrators and users alike---are starting to feel that they'd better accept it, or at least try to understand it.For example, most U.S. Government equipment acquisitions now require "Orange Book" (Trusted Computer System Evaluation Criteria) certification. A lot of people have a vague feeling that they ought to know about the Orange Book, but few make the effort to track it down and read it. Computer Security Basics contains a more readable introduction to the Orange Book---why it exists, what it contains, and what the different security levels are all about---than any other book or government publication.This handbook describes complicated concepts such as trusted systems, encryption, and mandatory access control in simple terms. It tells you what you need to know to understand the basics of computer security, and it will help you persuade your employees to practice safe computing.Contents include:
- Introduction (basic computer security concepts, security breaches such as the Internet worm).
- Computer security and requirements of the Orange Book.
- Communications and network security.
- Peripheral types of security (including biometric devices, physical controls, and TEMPEST).
- Appendices: terms, sources, user groups, and other reference material.
Synopsis
Deborah Russell provides a broad introduction to the many areas of computer security and a detailed description of how the government sets standards and guidelines for security products. The book describes complicated concepts such as trusted systems, encryption and mandatory access control in simple terms, and includes an introduction to the "Orange Book".
Description
Includes bibliographical references (p. 359-401) and index.
About the Author
Deborah Russell manages documentation consulting services for a joint venture of O'Reilly & Associates and Cambridge Computer Associates. In recent years, the focus of her consulting work has been computer security. Her consulting projects include work on the development of a secure UNIX kernel, several trusted operating systems, and a secure compartmented mode workstation. Ms. Russell has worked closely with a number of vendors during the "Orange Book" trusted system evaluation process. She has a degree from Harvard University.
Table of Contents
Table of Contents
Preface
About This Book
Summary of Contents
Acknowledgments
Comments and Questions
Part I. OVERVIEW
Chapter 1. Introduction
Attack of the Giant Worm (and Other Tales)
What Is Computer Security?
A Broader Definition of Security
Secrecy and Confidentiality
Accuracy, Integrity, and Authenticity
Availability
Threats to Security
Vulnerabilities
Threats
Countermeasures
Why Buy Security?
Government Requirements
Information Protection
What's A User To Do?
Chapter 2. Some Security History
Information and its Controls
Computer Security: Then and Now
Early Computer Security Efforts
Tiger Teams
Research and Modeling
Secure Systems Development
Building Toward Standardization
Standards for Secure Systems
Standards for Cryptography
Standards for Emanations
Computer Security Mandates and Legislation
NSDD
NTISSP
Computer Fraud and Abuse Act
Computer Security Act
Searching for a Balance
Recent Government Security Initiatives
Privacy Considerations
International Security Activity
The Growth of Modern Standards
Part II. COMPUTER SECURITY
Chapter 3. Computer System Security and Access Controls
What Makes a System Secure?
System Access: Logging Into Your System
Identification and Authentication
Protecting Passwords
Data Access: Protecting Your Data
Discretionary Access Control
Mandatory Access Control
Chapter 4. Viruses and Other Wildlife
Viruses
Worms
Trojan Horses
Bombs
Trap Doors
Spoofs
Other Wildlife
Remedies
Chapter 5. Secure System Planning and Administration
Administrative Security
Overall Planning and Administration
Analyzing Costs and Risks
Planning for Disaster
Setting Security Rules for Employees
Training Users
Day-to-day Administration
Performing Backups
Performing a Security Audit
Separation of Duties
Chapter 6. Inside the Orange Book
Introduction to the Orange Book
A Summary of Security Concepts
What's a Trusted System?
Measuring Trust
Trusted Computing Base
Security Policy
Security Model
Security Kernel
Security Perimeter
Orange Book Evaluation Classes
Comparison of Evaluation Classes
Complaints About the Orange Book
Evaluations of Secure Systems
Security Policy Requirements
Discretionary Access Control
Object Reuse
Labels
Mandatory Access Control
Accountability Requirements
Identification and Authentication
Trusted Path
Audit
Assurance Requirements
Operational Assurance
Life-cycle Assurance
Documentation Requirements
Security Features User's Guide
Trusted Facility Manual
Test Documentation
Design Documentation
Summary of Classes
D Systems: Minimal Security
C1 Systems: Discretionary Security Protection
C2 Systems: Controlled Access Protection
B1 Systems: Labeled Security Protection
B2 Systems: Structured Protection
B3 Systems: Security Domains
A1 Systems: Verified Design
Compartmented Mode Workstations
Government Computer Security Programs
Part III. COMMUNICATIONS SECURITY
Chapter 7. Encryption
Some History
What is Encryption?
Why Encryption?
Transposition and Substitution Ciphers
Cryptographic Keys: Private and Public
Key Management and Distribution
One-time Pad
The Data Encryption Standard
What is the DES?
Future of the DES
Other Cryptographic Algorithms
Variations on the DES
Public Key Algorithms
The RSA Algorithm
Digital Signatures and Notaries
Government Algorithms
Message Authentication
Encryption in Banking and Financial Applications
Government Cryptographic Programs
NSA
NIST
Treasury
Cryptographic Export Restrictions
Chapter 8. Communications and Network Security
What Makes Communication Secure?
Communications Vulnerabilities
Communications Threats
Modems
Networks
Network Terms
Some Network History
Network Media
OSI Model
Network Security
Trusted Networks
Perimeters and Gateways
Security in Heterogeneous Environments
Encrypted Communications
The Red Book and Government Network Evaluations
TCSEC Requirements
Other Security Services
Some Network Security Projects
DISNet and Blacker
SDNS
Kerberos
Project MAX
Secure NFS
Part IV. OTHER TYPES OF SECURITY
Chapter 9. Physical Security and Biometrics
Physical Security
Natural Disasters
Risk Analysis and Disaster Planning
Locks and Keys: Old and New
Types of Locks
Tokens
Challenge-response Systems
Cards: Smart and Dumb
Biometrics
Fingerprints
Handprints
Retina Patterns
Voice Patterns
Signature and Writing Patterns
Keystrokes
Chapter 10. TEMPEST
The Problem of Emanations
The TEMPEST Program
How To Build TEMPEST Products
TEMPEST Standards and Restrictions
TEMPEST Standards
TEMPEST Export Restrictions
Who Cares About TEMPEST?
Is TEMPEST Needed?
Changing TEMPEST Concepts
Government TEMPEST Programs
Part V. APPENDICES
Appendix A. Acronyms
Appendix B. Computer Security Legislation
Appendix C. Orange Book and Other Summaries
Orange Book (TCSEC) Requirements
Compartmented Mode Workstation (CMW) Requirements
System High Workstation (SHW) Requirements
International Security (ITSEC) Requirements
Appendix D. Government Security Programs
Computer Security Programs
The Role of the NCSC
The Role of NIST
Trusted Product Evaluation Program (TPEP)
Evaluation of Network Products
Evaluations of Database Management Systems
Evaluations of Security Subsystem Products
Formal Verification Systems Evaluation Program (FVSEP)
Degausser Products List
Rating Maintenance Phase (RAMP) Program
System Certification and Accreditation
DOCKMASTER
Technical Vulnerability Reporting Program
Communications Security Programs
Commercial COMSEC Endorsement Program
CCEP Eligibility
CCEP Program Steps
Government Endorsed DES Equipment Program
EFT Certification Program
Protected Network Services List
Off-line Systems List (OLSL)
Restrictions on Cryptographic Products
TEMPEST Security Programs
Industrial TEMPEST Program and Preferred Products List
Endorsed TEMPEST Products Program
Endorsed TEMPEST Test Services Program
Endorsed TEMPEST Test Instrumentation Program
Appendix E. A Security Source Book
Government Publications
The Rainbow Series
Other NSA Publications
FIPS PUBs
NIST Special Publications
Other NIST Publications
Compartmented Mode Workstation (CMW) Publications
COMSEC Program Publications
TEMPEST Program Publications
Other Security-relevant Government Publications
Government Program Contact Points
Computer Security (COMPUSEC) Programs
Communications Security (COMSEC) Programs
TEMPEST Programs
Other Government Contacts
Emergency Organizations
Standards Organizations
Security User Groups
Electronic Groups
USENET
Commercial Bulletin Boards
NCSC DOCKMASTER
NIST Computer Security Bulletin Board
Computer Security Periodicals
Computer Security Books
Conference Proceedings
Computer Security Textbooks
Viruses and Other Programmed Threats
Computer Crime and Ethics
Of General Interest
Glossary
Index
Figures
3-1 Self/Group/Public Controls
3-2 Discretionary Access Control With an Access Control List
3-3 Mandatory Access Control
6-1 Comparison of Evaluation Classes
6-2 Example of Labeling on Banner Page
6-3 Sample Trusted Path Menu
6-4 Sample Audit Output
7-1 The Enigma Machinex
7-2 Simple Encryption and Decryption
7-3 A Simple Transposition Cipher
7-4 Simple Substitution Ciphers
7-5 Another Transposition Cipher
7-6 The Caesar Substitution Cipher
7-7 A Simple Example of Private Key Encryption/Decryption
7-8 A Simple Example of Public Key Encryption/Decryption
7-9 A One-time Pad
7-10 How the DES Works
8-1 Open Systems Interconnection (OSI) Model
8-2 End-to-end Encryption
8-3 Link Encryption
Tables
2-1 Security-relevant Standards Organizations
3-1 Sample Login/Password Controls
6-1 Evaluation Classes and Sample Systems
6-2 Discretionary Access Control (DAC) Requirements
6-3 Identification and Authentication (I&A) Requirements
6-4 Audit Requirements
6-5 System Architecture Requirements
6-6 Covert Channel Requirements
6-7 Trusted Facility Management Requirements
6-8 Security Testing Requirements
6-9 Design Specification and Verification Requirements
6-10 Configuration Management Requirements
6-11 Trusted Facility Manual (TFM) Requirements
6-12 Test Documentation Requirements
6-13 Design Documentation Requirements
8-1 OSI Model Layers and Functions
8-2 Communications Integrity Requirements
8-3 Denial of Service Requirements
8-4 Compromise Protection Requirements
B-1 Information Protection Legislation
B-2 Computer Crime Legislation
B-3 Privacy Legislation
C-5 Compartmented Mode Workstation Requirements
C-6 System High Workstation (SHW) Requirements
C-7 Information Technology Security Evaluation Criteria (ITSEC)
C-8 ITSEC Classes of Functionality
C-9 ITSEC Assurance Levels
E-1 Rainbow Series
E-2 FIPS PUBs
E-3 SPEC PUBs