Computer Security_ Principles and Practice Global Edition-William Stallings -2017.pdf

Full Transcript

 Digital Resources for Students
Your new textbook provides 12-month access to digital resources that may include VideoNotes
(step-by-step video tutorials on programming concepts), source code, web chapters, quizzes, and
more. Refer to the preface in the textbook for a detailed list of resources.

Follow the instructions below to register for the Companion Website for William Stallings/Lawrie
Brown’s Computer Security: Principles and Practice, Fourth Edition, Global Edition.

1. Go to www.pearsonglobaleditions.com/stallings.
2. Enter the title of your textbook or browse by author name.
3. Click Companion Website.
4. Click Register and follow the on-screen instructions to create a login name and
password.

Use a coin to scratch off the coating and reveal your access code.
Do not use a sharp knife or other sharp object as it may damage the code.

Use the login name and password you created during registration to start using the
online resources that accompany your textbook.

IMPORTANT:
This access code can only be used once. This subscription is valid for 12 months upon activation and
is not transferrable. If the access code has already been revealed it may no longer be valid.

For technical support go to https://support.pearson.com/getsupport/
Computer Security
Principles and Practice
Fourth Edition

Global Edition

William Stallings
Lawrie Brown
UNSW Canberra at the Australian Defence Force Academy

330 Hudson Street, New York, NY 10013
Director, Portfolio Management: Engineering, Rights and Permissions Manager: Ben Ferrini
­Computer Science & Global Editions: Manufacturing Buyer, Higher Ed, Lake Side
Julian Partridge ­Communications Inc (LSC): Maura Zaldivar-Garcia
Specialist, Higher Ed Portfolio Management: Senior Manufacturing Controller, Global Edition:
Tracy Johnson (Dunkelberger) Angela Hawksbee
Acquisitions Editor, Global Edition: Sourabh Inventory Manager: Ann Lam
Maheshwari Product Marketing Manager: Yvonne Vannatta
Portfolio Management Assistant: Meghan Jacoby Field Marketing Manager: Demetrius Hall
Managing Content Producer: Scott Disanno Marketing Assistant: Jon Bryant
Content Producer: Robert Engelhardt Cover Designer: Lumina Datamatics, Inc.
Project Editor, Global Edition: K.K. Neelakantan Cover Photo: Alex Kosev / Shutterstock
Web Developer: Steve Wright Full-Service Project Management: Kirthika Raj,
Manager, Media Production, Global Edition: Vikram SPi Global
Kumar

Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook
appear on page 777.

Many of the designations by manufacturers and seller to distinguish their products are claimed as trademarks.
Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations
have been printed in initial caps or all caps.

Pearson Education Limited
KAO Two
KAO Park
Harlow
CM17 9NA
United Kingdom

and Associated Companies throughout the world

Visit us on the World Wide Web at:
www.pearsonglobaleditions.com

© Pearson Education Limited 2018

The rights of William Stallings and Lawrie Brown to be identified as the authors of this work have been asserted
by them in accordance with the Copyright, Designs and Patents Act 1988.

Authorized adaptation from the United States edition, entitled Computer Security: Principles and Practice, 4th
Edition, ISBN 978-0-13-479410-5 by William Stallings and Lawrie Brown published by Pearson Education © 2018.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without either the prior
written permission of the publisher or a license permitting restricted copying in the United Kingdom issued by the
Copyright Licensing Agency Ltd, Saffron House, 6–10 Kirby Street, London EC1N 8TS.

All trademarks used herein are the property of their respective owners. The use of any trademark in this text does
not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such
trademarks imply any affiliation with or endorsement of this book by such owners.

British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library

10 9 8 7 6 5 4 3 2 1

ISBN 10: 1-292-22061-9
ISBN 13: 978-1-292-22061-1

Typeset by SPi Global
Printed and bound in Malaysia
 For my loving wife, Tricia
—WS
To my extended family and friends, who helped
make this all possible
—LB
This page intentionally left blank
Contents
Preface 12
Notation 21
About the Authors 22
Chapter 1 Overview 23
1.1 Computer Security Concepts 24
1.2 Threats, Attacks, and Assets 31
1.3 Security Functional Requirements 37
1.4 Fundamental Security Design Principles 39
1.5 Attack Surfaces and Attack Trees 43
1.6 Computer Security Strategy 46
1.7 Standards 48
1.8 Key Terms, Review Questions, and Problems 49

PART ONE COMPUTER SECURITY TECHNOLOGY AND PRINCIPLES 52
Chapter 2 Cryptographic Tools 52
2.1 Confidentiality with Symmetric Encryption 53
2.2 Message Authentication and Hash Functions 59
2.3 Public-Key Encryption 67
2.4 Digital Signatures and Key Management 72
2.5 Random and Pseudorandom Numbers 77
2.6 Practical Application: Encryption of Stored Data 79
2.7 Key Terms, Review Questions, and Problems 80
Chapter 3 User Authentication 85
3.1 Digital User Authentication Principles 86
3.2 Password-Based Authentication 92
3.3 Token-Based Authentication 104
3.4 Biometric Authentication 109
3.5 Remote User Authentication 114
3.6 Security Issues for User Authentication 117
3.7 Practical Application: An Iris Biometric System 119
3.8 Case Study: Security Problems for ATM Systems 121
3.9 Key Terms, Review Questions, and Problems 124
Chapter 4 Access Control 127
4.1 Access Control Principles 128
4.2 Subjects, Objects, and Access Rights 131
4.3 Discretionary Access Control 132
4.4 Example: UNIX File Access Control 139
4.5 Role-Based Access Control 142
4.6 Attribute-Based Access Control 148
5
6  CONTENTS
4.7 Identity, Credential, and Access Management 154
4.8 Trust Frameworks 158
4.9 Case Study: RBAC System for a Bank 162
4.10 Key Terms, Review Questions, and Problems 164
Chapter 5 Database and Data Center Security 169
5.1 The Need for Database Security 170
5.2 Database Management Systems 171
5.3 Relational Databases 173
5.4 SQL Injection Attacks 177
5.5 Database Access Control 183
5.6 Inference 188
5.7 Database Encryption 190
5.8 Data Center Security 194
5.9 Key Terms, Review Questions, and Problems 200
Chapter 6 Malicious Software 205
6.1 Types of Malicious Software (Malware) 207
6.2 Advanced Persistent Threat 209
6.3 Propagation—Infected Content—Viruses 210
6.4 Propagation—Vulnerability Exploit—Worms 215
6.5 Propagation—Social Engineering—Spam E-mail, Trojans 224
6.6 Payload—System Corruption 227
6.7 Payload—Attack Agent—Zombie, Bots 229
6.8 Payload—Information Theft—Keyloggers, Phishing, Spyware 231
6.9 Payload—Stealthing—Backdoors, Rootkits 233
6.10 Countermeasures 236
6.11 Key Terms, Review Questions, and Problems 242
Chapter 7 Denial-of-Service Attacks 246
7.1 Denial-of-Service Attacks 247
7.2 Flooding Attacks 255
7.3 Distributed Denial-of-Service Attacks 256
7.4 Application-Based Bandwidth Attacks 258
7.5 Reflector and Amplifier Attacks 261
7.6 Defenses Against Denial-of-Service Attacks 265
7.7 Responding to a Denial-of-Service Attack 269
7.8 Key Terms, Review Questions, and Problems 270
Chapter 8 Intrusion Detection 273
8.1 Intruders 274
8.2 Intrusion Detection 278
8.3 Analysis Approaches 281
8.4 Host-Based Intrusion Detection 284
8.5 Network-Based Intrusion Detection 289
8.6 Distributed or Hybrid Intrusion Detection 295
8.7 Intrusion Detection Exchange Format 297
 CONTENTS  7

8.8 Honeypots 300
8.9 Example System: Snort 302
8.10 Key Terms, Review Questions, and Problems 306
Chapter 9 Firewalls and Intrusion Prevention Systems 310
9.1 The Need for Firewalls 311
9.2 Firewall Characteristics and Access Policy 312
9.3 Types of Firewalls 314
9.4 Firewall Basing 320
9.5 Firewall Location and Configurations 323
9.6 Intrusion Prevention Systems 328
9.7 Example: Unified Threat Management Products 332
9.8 Key Terms, Review Questions, and Problems 336

PART TWO SOFTWARE AND SYSTEM SECURITY 341
Chapter 10 Buffer Overflow 341
10.1 Stack Overflows 343
10.2 Defending Against Buffer Overflows 364
10.3 Other forms of Overflow Attacks 370
10.4 Key Terms, Review Questions, and Problems 377
Chapter 11 Software Security 379
11.1 Software Security Issues 380
11.2 Handling Program Input 384
11.3 Writing Safe Program Code 395
11.4 Interacting with the Operating System and Other Programs 400
11.5 Handling Program Output 413
11.6 Key Terms, Review Questions, and Problems 415
Chapter 12 Operating System Security 419
12.1 Introduction to Operating System Security 421
12.2 System Security Planning 422
12.3 Operating Systems Hardening 422
12.4 Application Security 426
12.5 Security Maintenance 428
12.6 Linux/Unix Security 429
12.7 Windows Security 433
12.8 Virtualization Security 435
12.9 Key Terms, Review Questions, and Problems 443
Chapter 13 Cloud and IoT Security 445
13.1 Cloud Computing 446
13.2 Cloud Security Concepts 454
13.3 Cloud Security Approaches 457
13.4 The Internet of Things 466
13.5 IoT Security 470
13.6 Key Terms and Review Questions 478
8  CONTENTS
PART THREE MANAGEMENT ISSUES 480
Chapter 14 IT Security Management and Risk Assessment 480
14.1 IT Security Management 481
14.2 Organizational Context and Security Policy 484
14.3 Security Risk Assessment 487
14.4 Detailed Security Risk Analysis 490
14.5 Case Study: Silver Star Mines 502
14.6 Key Terms, Review Questions, and Problems 507
Chapter 15 IT Security Controls, Plans, and Procedures 510
15.1 IT Security Management Implementation 511
15.2 Security Controls or Safeguards 511
15.3 IT Security Plan 520
15.4 Implementation of Controls 521
15.5 Monitoring Risks 522
15.6 Case Study: Silver Star Mines 524
15.7 Key Terms, Review Questions, and Problems 527
Chapter 16 Physical and Infrastructure Security 529
16.1 Overview 530
16.2 Physical Security Threats 531
16.3 Physical Security Prevention and Mitigation Measures 538
16.4 Recovery from Physical Security Breaches 541
16.5 Example: A Corporate Physical Security Policy 541
16.6 Integration of Physical and Logical Security 542
16.7 Key Terms, Review Questions, and Problems 548
Chapter 17 Human Resources Security 550
17.1 Security Awareness, Training, and Education 551
17.2 Employment Practices and Policies 557
17.3 E-mail and Internet Use Policies 560
17.4 Computer Security Incident Response Teams 561
17.5 Key Terms, Review Questions, and Problems 568
Chapter 18 Security Auditing 570
18.1 Security Auditing Architecture 572
18.2 Security Audit Trail 576
18.3 Implementing the Logging Function 581
18.4 Audit Trail Analysis 592
18.5 Security Information and Event Management 596
18.6 Key Terms, Review Questions, and Problems 598
Chapter 19 Legal and Ethical Aspects 600
19.1 Cybercrime and Computer Crime 601
19.2 Intellectual Property 605
19.3 Privacy 611
19.4 Ethical Issues 618
19.5 Key Terms, Review Questions, and Problems 624
 CONTENTS  9

PART FOUR CRYPTOGRAPHIC ALGORITHMS 627
Chapter 20 Symmetric Encryption and Message Confidentiality 627
20.1 Symmetric Encryption Principles 628
20.2 Data Encryption Standard 633
20.3 Advanced Encryption Standard 635
20.4 Stream Ciphers and RC4 641
20.5 Cipher Block Modes of Operation 644
20.6 Key Distribution 650
20.7 Key Terms, Review Questions, and Problems 652
Chapter 21 Public-Key Cryptography and Message Authentication 656
21.1 Secure Hash Functions 657
21.2 HMAC 663
21.3 Authenticated Encryption 666
21.4 The RSA Public-Key Encryption Algorithm 669
21.5 Diffie-Hellman and Other Asymmetric Algorithms 675
21.6 Key Terms, Review Questions, and Problems 679

PART FIVE NETWORK SECURITY 682
Chapter 22 Internet Security Protocols and Standards 682
22.1 Secure E-mail and S/MIME 683
22.2 Domainkeys Identified Mail 686
22.3 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 690
22.4 HTTPS 697
22.5 IPv4 and IPv6 Security 698
22.6 Key Terms, Review Questions, and Problems 703
Chapter 23 Internet Authentication Applications 706
23.1 Kerberos 707
23.2 X.509 713
23.3 Public-Key Infrastructure 716
23.4 Key Terms, Review Questions, and Problems 719
Chapter 24 Wireless Network Security 722
24.1 Wireless Security 723
24.2 Mobile Device Security 726
24.3 IEEE 802.11 Wireless LAN Overview 730
24.4 IEEE 802.11i Wireless LAN Security 736
24.5 Key Terms, Review Questions, and Problems 751
Appendix A Projects and Other Student Exercises for Teaching Computer Security 754
A.1 Hacking Project 754
A.2 Laboratory Exercises 755
A.3 Security Education (SEED) Projects 755
A.4 Research Projects 757
A.5 Programming Projects 758
A.6 Practical Security Assessments 758
10  CONTENTS
A.7 Firewall Projects 758
A.8 Case Studies 759
A.9 Reading/Report Assignments 759
A.10 Writing Assignments 759
A.11 Webcasts for Teaching Computer Security 760
Acronyms 761
List of NIST and ISO Documents 762
References 764
Credits 777
Index 780
 CONTENTS  11

ONLINE CHAPTERS AND APPENDICES1
Chapter 25 Linux Security
25.1 Introduction
25.2 Linux’s Security Model
25.3 The Linux DAC in Depth: Filesystem Security
25.4 Linux Vulnerabilities
25.5 Linux System Hardening
25.6 Application Security
25.7 Mandatory Access Controls
25.8 Key Terms, Review Questions, and Problems
Chapter 26 Windows and Windows Vista Security
26.1 Windows Security Architecture
26.2 Windows Vulnerabilities
26.3 Windows Security Defenses
26.4 Browser Defenses
26.5 Cryptographic Services
26.6 Common Criteria
26.7 Key Terms, Review Questions, Problems, and Projects
Chapter 27 Trusted Computing and Multilevel Security
27.1 The Bell-LaPadula Model for Computer Security
27.2 Other Formal Models for Computer Security
27.3 The Concept of Trusted Systems
27.4 Application of Multilevel Security
27.5 Trusted Computing and the Trusted Platform Module
27.6 Common Criteria for Information Technology Security Evaluation
27.7 Assurance and Evaluation
27.8 Key Terms, Review
Appendix B Some Aspects of Number Theory
Appendix C Standards and Standard-Setting Organizations
Appendix D Random and Pseudorandom Number Generation
Appendix E Message Authentication Codes Based on Block Ciphers
Appendix F TCP/IP Protocol Architecture
Appendix G Radix-64 Conversion
Appendix H The Domain Name System
Appendix I The Base-Rate Fallacy
Appendix J SHA-3
Appendix K Glossary

1
Online chapters, appendices, and other documents are Premium Content, available via the access code at
the front of this book.
Preface
WHAT’S NEW IN THE FOURTH EDITION

Since the third edition of this book was published, the field has seen continued innovations
and improvements. In this new edition, we try to capture these changes while maintaining a
broad and comprehensive coverage of the entire field. To begin the process of revision, the
third edition of this book was extensively reviewed by a number of professors who teach the
subject and by professionals working in the field. The result is that in many places the narra-
tive has been clarified and tightened, and illustrations have been improved.
Beyond these refinements to improve pedagogy and user-friendliness, there have
been major substantive changes throughout the book. The most noteworthy changes are
as follows:
Data center security: Chapter 5 includes a new discussion of data center security,
­including the TIA-492 specification of reliability tiers.
Malware: The material on malware in Chapter 6 has been revised to include additional
material on macro viruses and their structure, as they are now the most common form
of virus malware.
Virtualization security: The material on virtualization security in Chapter 12 has been
extended, given the rising use of such systems by organizations and in cloud computing
environments. A discussion of virtual firewalls, which may be used to help secure these
environments, has also been added.
Cloud security: Chapter 13 includes a new discussion of cloud security. The discussion
includes an introduction to cloud computing, key cloud security concepts, an analysis of
approaches to cloud security, and an open-source example.
IoT security: Chapter 13 includes a new discussion of security for the Internet of Things
(IoT). The discussion includes an introduction to IoT, an overview of IoT security issues,
and an open-source example.
SEIM: The discussion of Security Information and Event Management (SIEM) systems
in Chapter 18 has been updated.
Privacy: The section on privacy issues and its management in Chapter 19 has been
extended with additional discussion of moral and legal approaches, and the privacy
issues related to big data.
Authenticated encryption: Authenticated encryption has become an increasingly wide-
spread cryptographic tool in a variety of applications and protocols. Chapter 21 includes
a new discussion of authenticated description and describes an important authenticated
encryption algorithm known as offset codebook (OCB) mode.

12
 PREFACE  13

BACKGROUND

Interest in education in computer security and related topics has been growing at a dramatic rate
in recent years. This interest has been spurred by a number of factors, two of which stand out:
1. As information systems, databases, and Internet-based distributed systems and com-
munication have become pervasive in the commercial world, coupled with the increased
intensity and sophistication of security-related attacks, organizations now recognize the
need for a comprehensive security strategy. This strategy encompasses the use of special-
ized hardware and software and trained personnel to meet that need.
2. Computer security education, often termed information security education or information
assurance education, has emerged as a national goal in the United States and other coun-
tries, with national defense and homeland security implications. The NSA/DHS National
Center of Academic Excellence in Information Assurance/Cyber Defense is spearhead-
ing a government role in the development of standards for computer security education.
Accordingly, the number of courses in universities, community colleges, and other
­institutions in computer security and related areas is growing.

OBJECTIVES

The objective of this book is to provide an up-to-date survey of developments in computer
security. Central problems that confront security designers and security administrators include
defining the threats to computer and network systems, evaluating the relative risks of these
threats, and developing cost-effective and user friendly countermeasures.
The following basic themes unify the discussion:
Principles: Although the scope of this book is broad, there are a number of basic prin-
ciples that appear repeatedly as themes and that unify this field. Examples are issues
relating to authentication and access control. The book highlights these principles and
examines their application in specific areas of computer security.
Design approaches: The book examines alternative approaches to meeting specific
­computer security requirements.
Standards: Standards have come to assume an increasingly important, indeed dominant,
role in this field. An understanding of the current status and future direction of technol-
ogy requires a comprehensive discussion of the related standards.
Real-world examples: A number of chapters include a section that shows the practical
application of that chapter’s principles in a real-world environment.

SUPPORT OF ACM/IEEE COMPUTER SCIENCE CURRICULA 2013

This book is intended for both an academic and a professional audience. As a textbook,
it is intended as a one- or two-semester undergraduate course for computer science, com-
puter engineering, and electrical engineering majors. This edition is designed to support
14  PREFACE
Table P.1 Coverage of CS2013 Information Assurance and Security (IAS) Knowledge Area
IAS Knowledge Units Topics Textbook Coverage
Foundational Concepts CIA (Confidentiality, Integrity, and 1—Overview
in Security (Tier 1) Availability) 3—User Authentication
Risk, threats, vulnerabilities, and attack 4—Access Control
vectors 19—Legal and Ethical Aspects
Authentication and authorization, access
control (mandatory vs. discretionary)
Trust and trustworthiness
Ethics (responsible disclosure)
Principles of Secure Least privilege and isolation 1—Overview
Design (Tier 1) Fail-safe defaults
Open design
End-to-end security
Defense in depth
Security by design
Tensions between security and other design
goals
Principles of Secure Complete mediation 1—Overview
Design (Tier 2) Use of vetted security components
Economy of mechanism (reducing trusted
computing base, minimize attack surface)
Usable security
Security composability
Prevention, detection, and deterrence
Defensive Programming Input validation and data sanitization 11—Software Security
(Tier 1) Choice of programming language and
­type-safe languages
Examples of input validation and data
­sanitization errors (buffer overflows, integer
errors, SQL injection, and XSS vulnerability)
Race conditions
Correct handling of exceptions and
­unexpected behaviors
Defensive Programming Correct usage of third-party components 11—Software Security
(Tier 2) Effectively deploying security updates 12—OS Security
Threats and Attacks Attacker goals, capabilities, and motivations 6—Malicious Software
(Tier 2) Malware 7—Denial-of-Service Attacks
Denial of service and distributed denial of
service
Social engineering
Network Security Network-specific threats and attack types 8—Intrusion Detection
(Tier 2) Use of cryptography for data and network 9—Firewalls and Intrusion
security ­Prevention Systems
Architectures for secure networks Part 5—Network Security
Defense mechanisms and countermeasures
Security for wireless, cellular networks
Cryptography (Tier 2) Basic cryptography terminology 2—Cryptographic Tools
Cipher types Part 4—Cryptographic
Overview of mathematical preliminaries Algorithms
Public key infrastructure
 PREFACE  15

the recommendations of the ACM/IEEE Computer Science Curricula 2013 (CS2013). The
CS2013 curriculum recommendation includes, for the first time, Information Assurance and
Security (IAS) as one of the Knowledge Areas in the Computer Science Body of ­Knowledge.
CS2013 divides all course work into three categories: Core-Tier 1 (all topics should be
included in the curriculum), Core-Tier 2 (all or almost all topics should be included), and
Elective (desirable to provide breadth and depth). In the IAS area, CS2013 includes three
Tier 1 topics, five Tier 2 topics, and numerous Elective topics, each of which has a number of
subtopics. This text covers all of the Tier 1 and Tier 2 topics and subtopics listed by CS2013,
as well as many of the elective topics. Table P.1 shows the support for the ISA Knowledge
Area provided in this textbook.

COVERAGE OF CISSP SUBJECT AREAS

This book provides coverage of all the subject areas specified for CISSP (Certified I­ nformation
Systems Security Professional) certification. The CISSP designation from the International
Information Systems Security Certification Consortium (ISC)2 is often referred to as the
“gold standard” when it comes to information security certification. It is the only univer-
sally recognized certification in the security industry. Many organizations, including the U.S.
Department of Defense and many financial institutions, now require that cyber security per-
sonnel have the CISSP certification. In 2004, CISSP became the first IT program to earn
accreditation under the international standard ISO/IEC 17024 (General Requirements for
Bodies Operating Certification of Persons).
The CISSP examination is based on the Common Body of Knowledge (CBK), a compen-
dium of information security best practices developed and maintained by (ISC)2, a nonprofit
organization. The CBK is made up of 8 domains that comprise the body of knowledge that is
required for CISSP certification.
The 8 domains are as follows, with an indication of where the topics are covered in this
textbook:
Security and risk management: Confidentiality, integrity, and availability concepts;
­security governance principles; risk management; compliance; legal and regulatory
issues; professional ethics; and security policies, standards, procedures, and guidelines.
(Chapter 14)
Asset security: Information and asset classification; ownership (e.g. data owners, system
owners); privacy protection; appropriate retention; data security controls; and handling
requirements (e.g., markings, labels, storage). (Chapters 5, 15, 16, 19)
Security engineering: Engineering processes using secure design principles; security
models; security evaluation models; security capabilities of information systems; security
architectures, designs, and solution elements vulnerabilities; web-based systems vulner-
abilities; mobile systems vulnerabilities; embedded devices and cyber-physical systems
vulnerabilities; cryptography; and site and facility design secure principles; physical secu-
rity. (Chapters 1, 2, 13, 15, 16)
Communication and network security: Secure network architecture design (e.g., IP and
non-IP protocols, segmentation); secure network components; secure communication
channels; and network attacks. (Part Five)
16  PREFACE
Identity and access management: Physical and logical assets control; identification and
authentication of people and devices; identity as a service (e.g. cloud identity); third-
party identity services (e.g., on-premise); access control attacks; and identity and access
provisioning lifecycle (e.g., provisioning review). (Chapters 3, 4, 8, 9)
Security assessment and testing: Assessment and test strategies; security process data
(e.g., management and operational controls); security control testing; test outputs
(e.g., automated, manual); and security architectures vulnerabilities. (Chapters 14,
15, 18)
Security operations: Investigations support and requirements; logging and monitoring
activities; provisioning of resources; foundational security operations concepts; resource
protection techniques; incident management; preventative measures; patch and vulner-
ability management; change management processes; recovery strategies; disaster recov-
ery processes and plans; business continuity planning and exercises; physical security;
and personnel safety concerns. (Chapters 11, 12, 15, 16, 17)
Software development security: Security in the software development lifecycle; devel-
opment environment security controls; software security effectiveness; and acquired
software security impact. (Part Two)

SUPPORT FOR NSA/DHS CERTIFICATION

The U.S. National Security Agency (NSA) and the U.S. Department of Homeland Security
(DHS) jointly sponsor the National Centers of Academic Excellence in Information Assur-
ance/Cyber Defense (IA/CD). The goal of these programs is to reduce vulnerability in our
national information infrastructure by promoting higher education and research in IA and
producing a growing number of professionals with IA expertise in various disciplines. To
achieve that purpose, NSA/DHS have defined a set of Knowledge Units for 2- and 4-year
institutions that must be supported in the curriculum to gain a designation as a NSA/DHS
National Center of Academic Excellence in IA/CD. Each Knowledge Unit is composed
of a minimum list of required topics to be covered and one or more outcomes or learning
objectives. Designation is based on meeting a certain threshold number of core and optional
Knowledge Units.
In the area of computer security, the 2014 Knowledge Units document lists the following
core Knowledge Units:
Cyber Defense: Includes access control, cryptography, firewalls, intrusion detection sys-
tems, malicious activity detection and countermeasures, trust relationships, and defense
in depth.
Cyber Threats: Includes types of attacks, legal issues, attack surfaces, attack trees, insider
problems, and threat information sources.
Fundamental Security Design Principles: A list of 12 principles, all of which are covered
in Section 1.4 of this text.
Information Assurance Fundamentals: Includes threats and vulnerabilities, intrusion
detection and prevention systems, cryptography, access control models, identification/
authentication, and audit.
 PREFACE  17

Introduction to Cryptography: Includes symmetric cryptography, public-key
­cryptography, hash functions, and digital signatures.
Databases: Includes an overview of databases, database access controls, and security
issues of inference.
This book provides extensive coverage in all of these areas. In addition, the book
­partially covers a number of the optional Knowledge Units.

PLAN OF THE TEXT

The book is divided into five parts (see Chapter 0):
Computer Security Technology and Principles
Software and System Security
Management Issues
Cryptographic Algorithms
Network Security
The text is also accompanied by a number of online chapters and appendices that pro-
vide more detail on selected topics.
The text includes an extensive glossary, a list of frequently used acronyms, and a bib-
liography. Each chapter includes homework problems, review questions, a list of key words,
and suggestions for further reading.

INSTRUCTOR SUPPORT MATERIALS

The major goal of this text is to make it as effective a teaching tool for this exciting and fast-­moving
subject as possible. This goal is reflected both in the structure of the book and in the supporting
material. The text is accompanied by the following supplementary material to aid the instructor:
Projects manual: Project resources including documents and portable software, plus sug-
gested project assignments for all of the project categories listed in the following section.
Solutions manual: Solutions to end-of-chapter Review Questions and Problems.
PowerPoint slides: A set of slides covering all chapters, suitable for use in lecturing.
PDF files: Reproductions of all figures and tables from the book.
Test bank: A chapter-by-chapter set of questions.
Sample syllabuses: The text contains more material than can be conveniently covered
in one semester. Accordingly, instructors are provided with several sample syllabuses
that guide the use of the text within limited time. These samples are based on real-world
experience by professors with the first edition.
All of these support materials are available at the Instructor Resource Center (IRC) for
this textbook, which can be reached through the publisher’s Website www.pearsonglobaleditions.com/stallings. To gain access to the IRC, please contact your local Pearson sales representative.
18  PREFACE
The Companion Website includes the following:
Links to Web sites for other courses being taught using this book.
Sign-up information for an Internet mailing list for instructors using this book to
exchange information, suggestions, and questions with each other and with the author.

STUDENT RESOURCES

For this new edition, a tremendous amount of original support-
ing material for students has been made available online, at
two Web locations. The Companion Website, includes a list of
relevant links organized by chapter and an errata sheet for the
book.
Purchasing this textbook now grants the reader 12 months of
access to the Premium Content Site, which includes the following
materials:
O nline chapters: To limit the size and cost of the book, three
­chapters of the book are provided in PDF format. The chapters
are listed in this book’s table of contents.
Online appendices: There are numerous interesting topics that support material found in
the text but whose inclusion is not warranted in the printed text. A total of eleven online
appendices cover these topics for the interested student. The appendices are listed in
this book’s table of contents.
Homework problems and solutions: To aid the student in understanding the material,
a separate set of homework problems with solutions is available. These enable the stu-
dents to test their understanding of the text.
To access the Premium Content site, click on the link at www.pearsonglobaleditions.com/stallings and enter the student access code found on the inside front cover.

PROJECTS AND OTHER STUDENT EXERCISES

For many instructors, an important component of a computer security course is a project or
set of projects by which the student gets hands-on experience to reinforce concepts from the
text. This book provides an unparalleled degree of support for including a projects component
in the course. The instructor’s support materials available through Pearson not only include
guidance on how to assign and structure the projects but also include a set of user manuals for
various project types plus specific assignments, all written especially for this book. Instructors
can assign work in the following areas:
Hacking exercises: Two projects that enable students to gain an understanding of the
issues in intrusion detection and prevention.
Laboratory exercises: A series of projects that involve programming and experimenting
with concepts from the book.
 PREFACE  19

Security education (SEED) projects: The SEED projects are a set of hands-on exercises,
or labs, covering a wide range of security topics.
Research projects: A series of research assignments that instruct the students to research
a particular topic on the Internet and write a report.
Programming projects: A series of programming projects that cover a broad range of
topics and that can be implemented in any suitable language on any platform.
Practical security assessments: A set of exercises to examine current infrastructure and
practices of an existing organization.
Firewall projects: A portable network firewall visualization simulator is provided,
together with exercises for teaching the fundamentals of firewalls.
Case studies: A set of real-world case studies, including learning objectives, case descrip-
tion, and a series of case discussion questions.
Reading/report assignments: A list of papers that can be assigned for reading and writing
a report, plus suggested assignment wording.
Writing assignments: A list of writing assignments to facilitate learning the material.
Webcasts for teaching computer security: A catalog of webcast sites that can be used
to enhance the course. An effective way of using this catalog is to select, or allow the
student to select, one or a few videos to watch, and then to write a report/analysis of
the video.
This diverse set of projects and other student exercises enables the instructor to use the
book as one component in a rich and varied learning experience and to tailor a course plan to
meet the specific needs of the instructor and students. See Appendix A in this book for details.

ACKNOWLEDGMENTS

This new edition has benefited from review by a number of people, who gave generously of
their time and expertise. The following professors and instructors reviewed all or a large part
of the manuscript: Bernardo Palazzi (Brown University), Jean Mayo (Michigan Technological
University), Scott Kerlin (University of North Dakota), Philip Campbell (Ohio University),
Scott Burgess (Humboldt State University), Stanley Wine (Hunter College/CUNY), and
E. Mauricio Angee (Florida International University).
Thanks also to the many people who provided detailed technical reviews of one or
more chapters: Umair Manzoor (UmZ), Adewumi Olatunji (FAGOSI Systems, Nigeria), Rob
­Meijer, Robin Goodchil, Greg Barnes (Inviolate Security LLC), Arturo Busleiman (Buanzo
Consulting), Ryan M. Speers (Dartmouth College), Wynand van Staden (School of C ­ omputing,
University of South Africa), Oh Sieng Chye, Michael Gromek, Samuel Weisberger, Brian
Smithson (Ricoh Americas Corp, CISSP), Josef B. Weiss (CISSP), Robbert-Frank Ludwig
(Veenendaal, ActStamp Information Security), William Perry, Daniela Zamfiroiu (CISSP),
Rodrigo Ristow Branco, George Chetcuti (Technical Editor, TechGenix), Thomas Johnson
(Director of Information Security at a banking holding company in Chicago, CISSP), Robert
Yanus (CISSP), Rajiv Dasmohapatra (Wipro Ltd), Dirk Kotze, Ya’akov Yehudi, and ­Stanley
Wine (Adjunct Lecturer, Computer Information Systems Department, Zicklin School of
­Business, Baruch College).
20  PREFACE
Dr. Lawrie Brown would first like to thank Bill Stallings for the pleasure of working with
him to produce this text. I would also like to thank my colleagues in the School of Engineering
and Information Technology, UNSW Canberra at the Australian Defence Force Academy for
their encouragement and support. In particular, thanks to Gideon Creech, Edward Lewis, and
Ben Whitham for discussion and review of some of the chapter content.
Finally, we would like to thank the many people responsible for the publication of the
book, all of whom did their usual excellent job. This includes the staff at Pearson, particularly
our editor Tracy Dunkelberger, her editorial assistant Kristy Alaura, and project manager Bob
Engelhardt. Thanks also to the marketing and sales staffs at Pearson, without whose efforts
this book would not be in front of you.

ACKNOWLEDGMENTS FOR THE GLOBAL EDITION

Pearson would like to thank and acknowledge Somitra Sanadhya (Indian Institute of Technol-
ogy Ropar) for contributing to the Global Edition, and Arup Bhattacharya (RCC Institute of
Technology), A. Kannammal (Coimbatore Institute of Technology), and Khyat Sharma for
reviewing the Global Edition.
Notation
Symbol Expression Meaning
D, K D(K, Y) Symmetric decryption of ciphertext Y using secret key K
D, PRa D(PRa, Y) Asymmetric decryption of ciphertext Y using A’s private key PRa
D, PUa D(PUa, Y) Asymmetric decryption of ciphertext Y using A’s public key PUa
E, K E(K, X) Symmetric encryption of plaintext X using secret key K
E, PRa E(PRa, X) Asymmetric encryption of plaintext X using A’s private key PRa
E, PUa E(PUa, X) Asymmetric encryption of plaintext X using A’s public key PUa
K Secret key
PRa Private key of user A
PUa Public key of user A
H H(X) Hash function of message X
+ x + y Logical OR: x OR y
x y Logical AND: x AND y
∼ ∼ x Logical NOT: NOT x
C A characteristic formula, consisting of a logical formula over the
­values of attributes in a database
X X(C) Query set of C, the set of records satisfying C
, X  X(C)  Magnitude of X(C): the number of records in X(C)
x X(C) x X(D) Set intersection: the number of records in both X(C) and X(D)
 x  y x concatenated with y

21
About the Authors
Dr. William Stallings authored 18 textbooks, and, counting revised
editions, a total of 70 books on various aspects of these sub-
jects. His writings have appeared in numerous ACM and IEEE
publications, including the Proceedings of the IEEE and ACM
­Computing Reviews. He has 13 times received the award for the
best Computer Science textbook of the year from the Text and
Academic Authors Association.
In over 30 years in the field, he has been a technical
­contributor, technical manager, and an executive with several
high-technology firms. He has designed and implemented both
TCP/IP-based and OSI-based protocol suites on a variety of computers and operating s­ ystems,
ranging from microcomputers to mainframes. Currently he is an independent consultant
whose clients have included computer and networking manufacturers and customers, software
development firms, and leading-edge government research institutions.
He created and maintains the Computer Science Student Resource Site at Computer
ScienceStudent.com. This site provides documents and links on a variety of subjects of general
interest to computer science students (and professionals). He is a member of the editorial
board of Cryptologia, a scholarly journal devoted to all aspects of cryptology.

Dr. Lawrie Brown is a visiting senior lecturer in the School of
Engineering and Information Technology, UNSW Canberra at
the Australian Defence Force Academy.
His professional interests include communications and
­computer systems security and cryptography, including research
on pseudo-anonymous communication, authentication, ­security
and trust issues in Web environments, the design of secure remote
code execution environments using the functional l­anguage
Erlang, and on the design and implementation of the LOKI
­family of block ciphers.
During his career, he has presented courses on cryptography, cybersecurity, data
­communications, data structures, and programming in Java to both undergraduate and
­postgraduate students.

22
 CHAPTER

Overview
1.1 Computer Security Concepts
A Definition of Computer Security
Examples
The Challenges of Computer Security
A Model for Computer Security
1.2 Threats, Attacks, and Assets
Threats and Attacks
Threats and Assets
1.3 Security Functional Requirements

1.4 Fundamental Security Design Principles

1.5 Attack Surfaces and Attack Trees
Attack Surfaces
Attack Trees
1.6 Computer Security Strategy
Security Policy
Security Implementation
Assurance and Evaluation
1.7 Standards

1.8 Key Terms, Review Questions, and Problems

23
24   CHAPTER 1 / Overview

Learning Objectives
After studying this chapter, you should be able to:
◆◆ Describe the key security requirements of confidentiality, integrity, and
availability.
◆◆ Discuss the types of security threats and attacks that must be dealt with
and give examples of the types of threats and attacks that apply to different
­categories of computer and network assets.
◆◆ Summarize the functional requirements for computer security.
◆◆ Explain the fundamental security design principles.
◆◆ Discuss the use of attack surfaces and attack trees.
◆◆ Understand the principle aspects of a comprehensive security strategy.

This chapter provides an overview of computer security. We begin with a discussion
of what we mean by computer security. In essence, computer security deals with
­computer-related assets that are subject to a variety of threats and for which v­ arious
measures are taken to protect those assets. Accordingly, the next section of this
­chapter provides a brief overview of the categories of computer-related assets that
users and system managers wish to preserve and protect, and a look at the ­various
threats and attacks that can be made on those assets. Then, we survey the measures
that can be taken to deal with such threats and attacks. This we do from three dif-
ferent viewpoints, in Sections 1.3 through 1.5. We then lay out in general terms a
computer security strategy.
The focus of this chapter, and indeed this book, is on three fundamental
questions:
1. What assets do we need to protect?
2. How are those assets threatened?
3. What can we do to counter those threats?

1.1 COMPUTER SECURITY CONCEPTS

A Definition of Computer Security
The NIST Internal/Interagency Report NISTIR 7298 (Glossary of Key Information
Security Terms, May 2013) defines the term computer security as follows:

Computer Security: Measures and controls that ensure confidentiality, integrity,
and availability of information system assets including hardware, software, firm-
ware, and information being processed, stored, and communicated.
 1.1 / COMPUTER SECURITY CONCEPTS   25

This definition introduces three key objectives that are at the heart of computer
security:
Confidentiality: This term covers two related concepts:
——Data confidentiality:1 Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
——Privacy: Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom that
information may be disclosed.
Integrity: This term covers two related concepts:
——Data integrity: Assures that information and programs are changed only
in a specified and authorized manner.
——System integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
Availability: Assures that systems work promptly and service is not denied to
authorized users.
These three concepts form what is often referred to as the CIA triad. The three
concepts embody the fundamental security objectives for both data and for information
and computing services. For example, the NIST standard FIPS 199 (Standards for Security
Categorization of Federal Information and Information Systems, February 2004) lists con-
fidentiality, integrity, and availability as the three security objectives for information and
for information systems. FIPS 199 provides a useful characterization of these three objec-
tives in terms of requirements and the definition of a loss of security in each category:
Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary infor-
mation. A loss of confidentiality is the unauthorized disclosure of information.
Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss of integ-
rity is the unauthorized modification or destruction of information.
Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well estab-
lished, some in the security field feel that additional concepts are needed to present a
complete picture (see Figure 1.1). Two of the most commonly mentioned are as follows:
Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message

1
RFC 4949 (Internet Security Glossary, August 2007) defines information as “facts and ideas, which can
be represented (encoded) as various forms of data,” and data as “information in a specific physical rep-
resentation, usually a sequence of symbols that have meaning; especially a representation of information
that can be processed or produced by a computer.” Security literature typically does not make much of a
distinction; nor does this book.
26   CHAPTER 1 / Overview

ty
tiali
den In
teg
n fi
Co rit
y

Data

Acco
and

unta

ity
services

entic
bility

Auth
Availability

Figure 1.1 Essential Network and
­Computer Security Requirements

originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action. Because truly secure systems are not yet an achiev-
able goal, we must be able to trace a security breach to a responsible party.
Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes.
Note that FIPS 199 includes authenticity under integrity.

Examples
We now provide some examples of applications that illustrate the requirements just
enumerated.2 For these examples, we use three levels of impact on organizations or
individuals should there be a breach of security (i.e., a loss of confidentiality, integrity,
or availability). These levels are defined in FIPS 199:
Low: The loss could be expected to have a limited adverse effect on organiza-
tional operations, organizational assets, or individuals. A limited adverse effect
means that, for example, the loss of confidentiality, integrity, or availability
might: (i) cause a degradation in mission capability to an extent and duration
that the organization is able to perform its primary functions, but the effec-
tiveness of the functions is noticeably reduced; (ii) result in minor damage to
organizational assets; (iii) result in minor financial loss; or (iv) result in minor
harm to individuals.

2
These examples are taken from a security policy document published by the Information Technology
Security and Privacy Office at Purdue University.
 1.1 / COMPUTER SECURITY CONCEPTS   27

Moderate: The loss could be expected to have a serious adverse effect on
­organizational operations, organizational assets, or individuals. A serious
adverse effect means that, for example, the loss might: (i) cause a significant
degradation in mission capability to an extent and duration that the organiza-
tion is able to perform its primary functions, but the effectiveness of the func-
tions is significantly reduced; (ii) result in significant damage to organizational
assets; (iii) result in significant financial loss; or (iv) result in significant harm to
individuals that does not involve loss of life or serious life-threatening injuries.
High: The loss could be expected to have a severe or catastrophic adverse effect
on organizational operations, organizational assets, or individuals. A severe or
catastrophic adverse effect means that, for example, the loss might: (i) cause a
severe degradation in or loss of mission capability to an extent and duration
that the organization is not able to perform one or more of its primary func-
tions; (ii) result in major damage to organizational assets; (iii) result in major
financial loss; or (iv) result in severe or catastrophic harm to individuals involv-
ing loss of life or serious life-threatening injuries.

Confidentiality Student grade information is an asset whose confidentiality is
considered to be highly important by students. In the United States, the release of
such information is regulated by the Family Educational Rights and Privacy Act
(FERPA). Grade information should only be available to students, their parents, and
employees that require the information to do their job. Student enrollment informa-
tion may have a moderate confidentiality rating. While still covered by FERPA, this
information is seen by more people on a daily basis, is less likely to be targeted than
grade information, and results in less damage if disclosed. Directory information, such
as lists of students or faculty or departmental lists, may be assigned a low confiden-
tiality rating or indeed no rating. This information is typically freely available to the
public and published on a school’s website.

Integrity Several aspects of integrity are illustrated by the example of a hospital
patient’s allergy information stored in a database. The doctor should be able to trust
that the information is correct and current. Now, suppose an employee (e.g., a nurse)
who is authorized to view and update this information deliberately falsifies the data
to cause harm to the hospital. The database needs to be restored to a trusted basis
quickly, and it should be possible to trace the error back to the person responsible.
Patient allergy information is an example of an asset with a high requirement for
integrity. Inaccurate information could result in serious harm or death to a patient,
and expose the hospital to massive liability.
An example of an asset that may be assigned a moderate level of integrity
requirement is a website that offers a forum to registered users to discuss some spe-
cific topic. Either a registered user or a hacker could falsify some entries or deface the
website. If the forum exists only for the enjoyment of the users, brings in little or no
advertising revenue, and is not used for something important such as research, then
potential damage is not severe. The Webmaster may experience some data, financial,
and time loss.
An example of a low integrity requirement is an anonymous online poll. Many
websites, such as news organizations, offer these polls to their users with very few
28   CHAPTER 1 / Overview
safeguards. However, the inaccuracy and unscientific nature of such polls is well
understood.
Availability The more critical a component or service is, the higher will be the
level of availability required. Consider a system that provides authentication services
for critical systems, applications, and devices. An interruption of service results in the
inability for customers to access computing resources and staff to access the resources
they need to perform critical tasks. The loss of the service translates into a large
­financial loss in lost employee productivity and potential customer loss.
An example of an asset that would typically be rated as having a moderate
availability requirement is a public website for a university; the website provides
information for current and prospective students and donors. Such a site is not a
critical component of the university’s information system, but its unavailability will
cause some embarrassment.
An online telephone directory lookup application would be classified as a low
availability requirement. Although the temporary loss of the application may be an
annoyance, there are other ways to access the information, such as a hardcopy direc-
tory or the operator.

The Challenges of Computer Security
Computer security is both fascinating and complex. Some of the reasons are as follows:
1. Computer security is not as simple as it might first appear to the novice. The
requirements seem to be straightforward; indeed, most of the major require-
ments for security services can be given self-explanatory one-word labels:
­confidentiality, authentication, nonrepudiation, and integrity. But the mecha-
nisms used to meet those requirements can be quite complex, and ­understanding
them may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always con-
sider potential attacks on those security features. In many cases, successful attacks
are designed by looking at the problem in a completely different way, therefore
exploiting an unexpected weakness in the mechanism.
3. Because of Point 2, the procedures used to provide particular services are often
counterintuitive. Typically, a security mechanism is complex, and it is not obvious
from the statement of a particular requirement that such elaborate measures are
needed. Only when the various aspects of the threat are considered do elaborate
security mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where to
use them. This is true both in terms of physical placement (e.g., at what points in
a network are certain security mechanisms needed) and in a logical sense [e.g.,
at what layer or layers of an architecture such as TCP/IP (Transmission Control
Protocol/Internet Protocol) should mechanisms be placed].
5. Security mechanisms typically involve more than a particular algorithm or
­protocol. They also require that participants be in possession of some secret
information (e.g., an encryption key), which raises questions about the creation,
distribution, and protection of that secret information. There may also be a reli-
ance on communications protocols whose behavior may complicate the task of
 1.1 / COMPUTER SECURITY CONCEPTS   29

developing the security mechanism. For example, if the proper functioning of the
security mechanism requires setting time limits on the transit time of a message
from sender to receiver, then any protocol or network that introduces variable,
unpredictable delays may render such time limits meaningless.
6. Computer security is essentially a battle of wits between a perpetrator who tries
to find holes, and the designer or administrator who tries to close them. The great
advantage that the attacker has is that he or she need only find a single weak-
ness, while the designer must find and eliminate all weaknesses to achieve perfect
security.
7. There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs.
8. Security requires regular, even constant monitoring, and this is difficult in today’s
short-term, overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after
the design is complete, rather than being an integral part of the design process.
10. Many users and even security administrators view strong security as an impedi-
ment to efficient and user-friendly operation of an information system or use
of information.
The difficulties just enumerated will be encountered in numerous ways as we
examine the various security threats and mechanisms throughout this book.

A Model for Computer Security
We now introduce some terminology that will be useful throughout the book.3 Table
1.1 defines terms and Figure 1.2, based on [CCPS12a], shows the relationship among
some of these terms. We start with the concept of a system resource or asset, that
users and owners wish to protect. The assets of a computer system can be categorized
as follows:
Hardware: Including computer systems and other data processing, data storage,
and data communications devices.
Software: Including the operating system, system utilities, and applications.
Data: Including files and databases, as well as security-related data, such as
password files.
Communication facilities and networks: Local and wide area network com-
munication links, bridges, routers, and so on.
In the context of security, our concern is with the vulnerabilities of system
resources. [NRC02] lists the following general categories of vulnerabilities of a com-
puter system or network asset:
The system can be corrupted, so it does the wrong thing or gives wrong answers.
For example, stored data values may differ from what they should be because
they have been improperly modified.

3
See Chapter 0 for an explanation of RFCs.
30   CHAPTER 1 / Overview
Table 1.1 Computer Security Terminology

Adversary (threat agent)
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Attack
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system
resources or the information itself.
Countermeasure
A device or techniques that has as its objective the impairment of the operational effectiveness of ­undesirable
or adversarial activity, or the prevention of espionage, sabotage, theft, or unauthorized access to or use of
­sensitive information or information systems.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function
of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
Security Policy
A set of criteria for the provision of security services. It defines and constrains the activities of a data process-
ing facility in order to maintain a condition of security for systems and data.
System Resource (Asset)
A major application, general support system, high impact program, physical plant, mission critical system, per-
sonnel, equipment, or a logically related group of systems.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, func-
tions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an informa-
tion system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that
could be exploited or triggered by a threat source.

Source: Stallings, William, Computer Security: Principles and Practice, 4e., ©2019. Reprinted and electronically
reproduced by permission of pearson education, inc., new york, ny.

The system can become leaky. For example, someone who should not have
access to some or all of the information available through the network obtains
such access.
The system can become unavailable or very slow. That is, using the system or
network becomes impossible or impractical.

Owners Threat agents
Value
Wish to abuse
Wish to Impose and/or
minimize may damage
Give
rise to
Countermeasures Assets

To
reduce

To To
Risk Threats
That
increase

Figure 1.2 Security Concepts and Relationships
 1.2 / THREATS, ATTACKS, AND ASSETS   31

These three general types of vulnerability correspond to the concepts of integrity,
confidentiality, and availability, enumerated earlier in this section.
Corresponding to the various types of vulnerabilities to a system resource are
threats that are capable of exploiting those vulnerabilities. A threat represents a
potential security harm to an asset. An attack is a threat that is carried out (threat
action) and, if successful, leads to an undesirable violation of security, or threat con-
sequence. The agent carrying out the attack is referred to as an attacker or threat
agent. We can distinguish two types of attacks:
Active attack: An attempt to alter system resources or affect their operation.
Passive attack: An attempt to learn or make use of information from the system
that does not affect system resources.
We can also classify attacks based on the origin of the attack:
Inside attack: Initiated by an entity inside the security perimeter (an “insider”).
The insider is authorized to access system resources but uses them in a way not
approved by those who granted the authorization.
Outside attack: Initiated from outside the perimeter, by an unauthorized or ille-
gitimate user of the system (an “outsider”). On the Internet, potential outside
attackers range from amateur pranksters to organized criminals, international
terrorists, and hostile governments.
Finally, a countermeasure is any means taken to deal with a security attack.
Ideally, a countermeasure can be devised to prevent a particular type of attack from
succeeding. When prevention is not possible, or fails in some instance, the goal is to
detect the attack then recover from the effects of the attack. A countermeasure may
itself introduce new vulnerabilities. In any case, residual vulnerabilities may remain
after the imposition of countermeasures. Such vulnerabilities may be exploited by
threat agents representing a residual level of risk to the assets. Owners will seek to
minimize that risk given other constraints.

1.2 THREATS, ATTACKS, AND ASSETS

We now turn to a more detailed look at threats, attacks, and assets. First, we look at
the types of security threats that must be dealt with, and then give some examples of
the types of threats that apply to different categories of assets.

Threats and Attacks
Table 1.2, based on RFC 4949, describes four kinds of threat consequences and lists
the kinds of attacks that result in each consequence.
Unauthorized disclosure is a threat to confidentiality. The following types of
attacks can result in this threat consequence:
Exposure: This can be deliberate, as when an insider intentionally releases sen-
sitive information, such as credit card numbers, to an outsider. It can also be
the result of a human, hardware, or software error, which results in an entity
gaining unauthorized knowledge of sensitive data. There have been numerous
32   CHAPTER 1 / Overview
Table 1.2 Threat Consequences, and the Types of Threat Actions that Cause Each Consequence
Threat Consequence Threat Action (Attack)
Unauthorized Disclosure Exposure: Sensitive data are directly released to an unauthorized
A circumstance or event whereby entity.
an entity gains access to data for Interception: An unauthorized entity directly accesses sensitive
which the entity is not authorized. data traveling between authorized sources and destinations.
Inference: A threat action whereby an unauthorized entity
­indirectly accesses sensitive data (but not necessarily the
data contained in the communication) by reasoning from
­characteristics or by-products of communications.
Intrusion: An unauthorized entity gains access to sensitive data
by circumventing a system’s security protections.
Deception Masquerade: An unauthorized entity gains access to a system or
A circumstance or event that performs a malicious act by posing as an authorized entity.
may result in an authorized entity Falsification: False data deceive an authorized entity.
receiving false data and believing it Repudiation: An entity deceives another by falsely denying
to be true. responsibility for an act.
Disruption Incapacitation: Prevents or interrupts system operation by
A circumstance or event that ­disabling a system component.
interrupts or prevents the correct Corruption: Undesirably alters system operation by adversely
operation of system services and modifying system functions or data.
functions. Obstruction: A threat action that interrupts delivery of system
services by hindering system operation.
Usurpation Misappropriation: An entity assumes unauthorized logical or
A circumstance or event that results physical control of a system resource.
in control of system services or Misuse: Causes a system component to perform a function or
functions by an unauthorized entity. ­service that is detrimental to system security.

Source: Based on RFC 4949

instances of this, such as universities accidentally posting confidential student
information on the Web.
Interception: Interception is a common attack in the context of communica-
tions. On a shared local area network (LAN), such as a wireless LAN or a
broadcast Ethernet, any device attached to the LAN can receive a copy of
packets intended for another device. On the Internet, a determined hacker can
gain access to e-mail traffic and other data transfers. All of these situations cre-
ate the potential for unauthorized access to data.
Inference: An example of inference is known as traffic analysis, in which an
adversary is able to gain information from observing the pattern of traffic on
a network, such as the amount of traffic between particular pairs of hosts on
the network. Another example is the inference of detailed information from a
database by a user who has only limited access; this is accomplished by repeated
queries whose combined results enable inference.
Intrusion: An example of intrusion is an adversary gaining unauthorized access
to sensitive data by overcoming the system’s access control protections.
 1.2 / THREATS, ATTACKS, AND ASSETS   33

Deception is a threat to either system integrity or data integrity. The following
types of attacks can result in this threat consequence:
Masquerade: One example of masquerade is an attempt by an unauthorized
user to gain access to a system by posing as an authorized user; this could hap-
pen if the unauthorized user has learned another user’s logon ID and password.
Another example is malicious logic, such as a Trojan horse, that appears to
perform a useful or desirable function but actually gains unauthorized access
to system resources, or tricks a user into executing other malicious logic.
Falsification: This refers to the altering or replacing of valid data or the intro-
duction of false data into a file or database. For example, a student may alter
his or her grades on a school database.
Repudiation: In this case, a user either denies sending data, or a user denies
receiving or possessing the data.
Disruption is a threat to availability or system integrity. The following types of
attacks can result in this threat consequence:
Incapacitation: This is an attack on system availability. This could occur as a
result of physical destruction of or damage to system hardware. More typically,
malicious software, such as Trojan horses, viruses, or worms, could operate in
such a way as to disable a system or some of its services.
Corruption: This is an attack on system integrity. Malicious software in this
context could operate in such a way that system resources or services function
in an unintended manner. Or a user could gain unauthorized access to a system
and modify some of its functions. An example of the latter is a user placing
backdoor logic in the system to provide subsequent access to a system and its
resources by other than the usual procedure.
Obstruction: One way to obstruct system operation is to interfere with commu-
nications by disabling communication links or altering communication control
information. Another way is to overload the system by placing excess burden
on communication traffic or processing resources.
Usurpation is a threat to system integrity. The following types of attacks can
result in this threat consequence:
Misappropriation: This can include theft of service. An example is a distributed
denial of service attack, when malicious software is installed on a number of hosts
to be used as platforms to launch traffic at a target host. In this case, the malicious
software makes unauthorized use of processor and operating system resources.
Misuse: Misuse can occur by means of either malicious logic or a hacker that
has gained unauthorized access to a system. In either case, security functions
can be disabled or thwarted.

Threats and Assets
The assets of a computer system can be categorized as hardware, software, data, and
communication lines and networks. In this subsection, we briefly describe these four
34   CHAPTER 1 / Overview
categories and relate these to the concepts of integrity, confidentiality, and availability
introduced in Section 1.1 (see Figure 1.3 and Table 1.3).
Hardware A major threat to computer system hardware is the threat to availabil-
ity. Hardware is the most vulnerable to attack and the least susceptible to automated
controls. Threats include accidental and deliberate damage to equipment as well as
theft. The proliferation of personal computers and workstations and the widespread
use of LANs increase the potential for losses in this area. Theft of USB drives can
lead to loss of confidentiality. Physical and administrative security measures are
needed to deal with these threats.
Software Software includes the operating system, utilities, and application pro-
grams. A key threat to software is an attack on availability. Software, especially
application software, is often easy to delete. Software can also be altered or damaged
to render it useless. Careful software configuration management, which includes
making backups of the most recent version of software, can maintain high avail-
ability. A more difficult problem to deal with is software modification that results
in a program that still functions but that behaves differently than before, which is a
threat to integrity/authenticity. Computer viruses and related attacks fall into this
category. A final problem is protection against software piracy. Although certain

Computer system Computer system
4 Sensitive files
must be secure
Data (file security) Data

1 Access to the data 3 Data must be
must be controlled securely transmitted
(protection) through networks
(network security)

Processes representing users Processes representing users
Guard Guard

2 Access to the computer
facility must be controlled
(user authentication)
Users making requests

Figure 1.3 Scope of Computer Security
Note: This figure depicts security concerns other than physical security, including controlling of
access to computers systems, safeguarding of data transmitted over communications systems, and
­safeguarding of stored data.
 1.2 / THREATS, ATTACKS, AND ASSETS   35

Table 1.3 Computer and Network Assets, with Examples of Threats
Availability Confidentiality Integrity
Hardware Equipment is stolen or An unencrypted
­disabled, thus denying USB drive is stolen.
service.
Software Programs are deleted, An unauthorized copy of A working program is modi-
­denying access to users. software is made. fied, either to cause it to fail
during execution or to cause
it to do some unintended task.
Data Files are deleted, denying An unauthorized read Existing files are modified or
access to users. of data is performed. An new files are fabricated.
analysis of statistical data
reveals underlying data.
­Communication Messages are destroyed or Messages are read. The Messages are modified,
Lines and deleted. ­Communication traffic pattern of ­messages delayed, reordered, or dupli-
Networks lines or networks are is observed. cated. False messages are
­rendered unavailable. fabricated.

countermeasures are available, by and large the problem of unauthorized copying
of software has not been solved.
Data Hardware and software security are typically concerns of computing cen-
ter professionals or individual concerns of personal computer users. A much more
widespread problem is data security, which involves files and other forms of data
controlled by individuals, groups, and business organizations.
Security concerns with respect to data are broad, encompassing availability,
secrecy, and integrity. In the case of availability, the concern is with the destruction
of data files, which can occur either accidentally or maliciously.
The obvious concern with secrecy is the unauthorized reading of data files or
databases, and this area has been the subject of perhaps more research and effort
than any other area of computer security. A less obvious threat to secrecy involves the
analysis of data and manifests itself in the use of so-called statistical databases, which
provide summary or aggregate information. Presumably, the existence of aggregate
information does not threaten the privacy of the individuals involved. However, as
the use of statistical databases grows, there is an increasing potential for disclosure
of personal information. In essence, characteristics of constituent individuals may be
identified through careful analysis. For example, if one table records the aggregate of
the incomes of respondents A, B, C, and D and another records the aggregate of the
incomes of A, B, C, D, and E, the difference between the two aggregates would be the
income of E. This problem is exacerbated by the increasing desire to combine data
sets. In many cases, matching several sets of data for consistency at different levels
of aggregation requires access to individual units. Thus, the individual units, which
are the subject of privacy concerns, are available at various stages in the processing
of data sets.
Finally, data integrity is a major concern in most installations. Modifications to
data files can have consequences ranging from minor to disastrous.
36   CHAPTER 1 / Overview
Communication Lines and Networks Network security attacks can be classified
as passive attacks and active attacks. A passive attack attempts to learn or make use of
information from the system, but does not affect system resources. An active attack
attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of, trans-
missions. The goal of the attacker is to obtain information that is being transmit-
ted. Two types of passive attacks are the release of message contents and traffic
analysis.
The release of message contents is easily understood. A telephone conversation,
an electronic mail message, and a transferred file may contain sensitive or confiden-
tial information. We would like to prevent an opponent from learning the contents
of these transmissions.
A second type of passive attack, traffic analysis, is more subtle. Suppose we
had a way of masking the contents of messages or other information traffic so oppo-
nents, even if they captured the message, could not extract the information from
the ­message. The common technique for masking contents is encryption. If we had
encryption protection in place, an opponent might still be able to observe the ­pattern
of these messages. The opponent could determine the location and identity of com-
municating hosts and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the communi-
cation that was taking place.
Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an appar-
ently normal fashion and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to pre-
vent the success of these attacks, usually by means of encryption. Thus, the emphasis
in dealing with passive attacks is on prevention rather than detection.
Active attacks involve some modification of the data stream or the creation
of a false stream, and can be subdivided into four categories: replay, masquerade,
modification of messages, and denial of service.
Replay involves the passive capture of a data unit and its subsequent retrans-
mission to produce an unauthorized effect.
A masquerade takes place when one entity pretends to be a different entity.
A masquerade attack usually includes one of the other forms of active attack. For
example, authentication sequences can be captured and replayed after a valid
authentication sequence has taken place, thus enabling an authorized entity with
few privileges to obtain extra privileges by impersonating an entity that has those
privileges.
Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an unau-
thorized effect. For example, a message stating, “Allow John Smith to read confi-
dential file accounts” is modified to say, “Allow Fred Brown to read confidential
file accounts.”
The denial of service prevents or inhibits the normal use or management of
communication facilities. This attack may have a specific target; for example, an
entity may suppress all messages directed to a particular destination (e.g., the security
 1.3 / SECURITY FUNCTIONAL REQUIREMENTS   37

audit service). Another form of service denial is the disruption of an entire network,
either by disabling the network or by overloading it with messages so as to degrade
performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely, because
to do so would require physical protection of all communication facilities and paths
at all times. Instead, the goal is to detect them and to recover from any disruption
or delays caused by them. Because the detection has a deterrent effect, it may also
contribute to prevention.

1.3 SECURITY FUNCTIONAL REQUIREMENTS

There are a number of ways of classifying and characterizing the countermeasures
that may be used to reduce vulnerabilities and deal with threats to system assets. In
this section, we view countermeasures in terms of functional requirements, and we
follow the classification defined in FIPS 200 (Minimum Security Requirements for
Federal Information and Information Systems). This standard enumerates 17 security-
related areas with regard to protecting the confidentiality, integrity, and availability of
information systems and the information processed, stored, and transmitted by those
systems. The areas are defined in Table 1.4.
The requirements listed in FIPS 200 encompass a wide range of counter-
measures to security vulnerabilities and threats. Roughly, we can divide these
­countermeasures into two categories: those that require computer security technical
measures (covered in Parts One and Two), either hardware or software, or both; and
those that are fundamentally management issues (covered in Part Three).
Each of the functional areas may involve both computer security technical mea-
sures and management measures. Functional areas that primarily require computer
security technical measures include access control, identification and authentica-
tion, system and communication protection, and system and information integrity.
Functional areas that primarily involve management controls and procedures include
awareness and training; audit and accountability; certification, accreditation, and
security assessments; contingency planning; maintenance; physical and environmen-
tal protection; planning; personnel security; risk assessment; and systems and services
acquisition. Functional areas that overlap computer security technical measures and
management controls include configuration management, incident response, and
media protection.
Note the majority of the functional requirements areas in FIPS 200 are either
primarily issues of management or at least have a significant management com-
ponent, as opposed to purely software or hardware solutions. This may be new to
some readers, and is not reflected in many of the books on computer and informa-
tion security. But as one computer security expert observed, “If you think tech-
nology can solve your security problems, then you don’t understand the problems
and you don’t understand the technology” [SCHN00]. This book reflects the need
38   CHAPTER 1 / Overview
Table 1.4 Security Requirements
Access Control: Limit information system access to authorized users, processes acting on behalf of authorized
users, or devices (including other information systems) and to the types of transactions and functions that
authorized users are permitted to exercise.
Awareness and Training: (i) Ensure that managers and users of organizational information systems are made
aware of the security risks associated with their activities and of the applicable laws, regulations, and policies
related to the security of organizational information systems; and (ii) ensure that personnel are adequately
trained to carry out their assigned information security-related duties and responsibilities.
Audit and Accountability: (i) Create, protect, and retain information system audit records to the
extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized,
or ­inappropriate information system activity; and (ii) ensure that the actions of individual information
system users can be uniquely traced to those users so they can be held accountable for their
actions.
Certification, Accreditation, and Security Assessments: (i) Periodically assess the security controls in
­organizational information systems to determine if the controls are effective in their application; (ii) develop
and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in
­organizational information systems; (iii) authorize the operation of organizational information systems and
any associated information system connections; and (iv) monitor information system security controls on an
ongoing basis to ensure the continued effectiveness of the controls.
Configuration Management: (i) Establish and maintain baseline configurations and inventories of
­organizational information systems (including hardware, software, firmware, and documentation)
throughout the respective system development life cycles; and (ii) establish and enforce security
configuration settings for information technology products employed in organizational information
systems.
Contingency Planning: Establish, maintain, and implement plans for emergency response, backup ­
operations, and postdisaster recovery for organizational information systems to ensure the availability
of critical ­information resources and continuity of operations in emergency situations.
Identification and Authentication: Identify information system users, processes acting on behalf of users, or
devices, and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to
allowing access to organizational information systems.
Incident Response: (i) Establish an operational incident-handling capability for organizational information
systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response
­activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or
authorities.
Maintenance: (i) Perform periodic and timely maintenance on organizational information systems; and
(ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct
information system maintenance.
Media Protection: (i) Protect information system media, both paper and digital; (ii) limit access to information
on information system media to authorized users; and (iii) sanitize or destroy information system media before
disposal or release for reuse.
Physical and Environmental Protection: (i) Limit physical access to information systems, equipment, and
the respective operating environments to authorized individuals; (ii) protect the physical plant and support
­infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect
information systems against environmental hazards; and (v) provide appropriate environmental controls in
facilities containing information systems.
Planning: Develop, document, periodically update, and implement security plans for organizational informa-
tion systems that describe the security controls in place or planned for the information systems and the rules
of behavior for individuals accessing the information systems.

(Continued)
 1.4 / FUNDAMENTAL SECURITY DESIGN PRINCIPLES   39

Personnel Security: (i) Ensure that individuals occupying positions of responsibility within organizations
(including third-party service providers) are trustworthy and meet established security criteria for t