Determine if your employer, or an organization you are familiar with, uses a traditional model of access control, RBAC, or ABAC

Subject:Computer SciencePrice:18.86 Bought8

Share With

Determine if your employer, or an organization you are familiar with, uses a traditional model of access control, RBAC, or ABAC. Discuss the benefits and/or issues associated with this approach to access control. Could the organization benefit from another model of access control?

You are required to reply to at least two of your peers’ discussion question post answers to this weekly discussion question and/or your instructor’s response to your post. These replies need to be substantial and constructive in nature. They should add to the content of the post and evaluate/analyze that post answer. Normal course dialogue doesn’t fulfill these two peer replies, but is expected throughout the course.

Be sure to support your statements with logic and argument, citing any sources referenced. Post your initial response early and check back often to continue the discussion. Be sure to respond to at least two of your peers’ posts as well.

Computer Security Principles and Practice Third Edition William Stallings Lawrie Brown UNSW Canberra at the Australian Defence Force Academy Boston Columbus Indianapolis New York San Francisco Upper Saddle River Amsterdam CapeTown Dubai London Madrid Milan Munich Paris Montreal Toronto Delhi Mexico City São Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo Editorial Director, ECS: Marcia Horton Executive Editor: Tracy Johnson (Dunkelberger) Editorial Assistant: Kelsey Loanes Director of Marketing: Christy Lesko Marketing Manager: Yez Alayan Marketing Assistant: Jon Bryant Director of Program Management: Erin Gregg Program Management – Team Lead: Scott Disanno Program Manager: Carole Snyder Project Manager: Robert Engelhardt Procurement Specialist: Linda Sager Cover Designer: Marta Samsel Managing Project Editor: Dr. Priyadharshini Dhanagopal Production Project Manager: Jennifer Sargunar Permissions Supervisor: Rachel Youdelman Permissions Administrator: William Opaluch Cover Art: © Arnaud Chicurel/Hemis/Corbis Associate Web Developer: Barry Offringa Full-Service Project Management: Mahalatchoumy Saravanan, Jouve India Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on page 815. Copyright © 2015, 2012, 2008 by Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission(s) to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your request to 201-236-3290. Many of the designations by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps. Library of Congress Cataloging-in-Publication Data Stallings, William, author. Computer security : principles and practice / William Stallings, Lawrie Brown, University of New South Wales, Australian Defence Force Academy. — Third edition.    pages cm ISBN 978-0-13-377392-7 — ISBN 0-13-377392-2    1. Computer security. 2. Computer security—Examinations—Study guides. 3. Computer networks—Security measures—Examinations—Study guides. 4. Electronic data processing personnel—Certification—Study guides. I. Brown, Lawrie, author. II. Title. QA76.9.A25S685 2014 005.8—dc23 2014012092 10 9 8 7 6 5 4 3 2 1 ISBN-10: 0-13-377392-2 ISBN-13: 978-0-13-377392-7 For my loving wife,Tricia —WS To my extended family, who helped make this all possible —LB This page intentionally left blank Contents Online Resources xi Preface xii Notation xviii About the Authors xix Chapter 0 Reader’s and Instructor’s Guide 1 0.1 Outline of this Book 2 0.2 A Roadmap for Readers and Instructors 2 0.3 Support for Cissp Certification 3 0.4 Support for NSA/DHS Certification 5 0.5 Support for ACM/IEEE Computer Society Computer Science Curricula 2013 6 0.6 Internet and Web Resources 8 0.7 Standards 9 Chapter 1 Overview 11 1.1 Computer Security Concepts 12 1.2 Threats, Attacks, and Assets 19 1.3 Security Functional Requirements 25 1.4 Fundamental Security Design Principles 27 1.5 Attack Surfaces and Attack Trees 31 1.6 Computer Security Strategy 34 1.7 Recommended Reading 36 1.8 Key Terms, Review Questions, and Problems 37 Part One Computer Security Technology and Principles 40 Chapter 2 Cryptographic Tools 40 2.1 Confidentiality with Symmetric Encryption 41 2.2 Message Authentication and Hash Functions 47 2.3 Public-Key Encryption 55 2.4 Digital Signatures and Key Management 60 2.5 Random and Pseudorandom Numbers 64 2.6 Practical Application: Encryption of Stored Data 66 2.7 Recommended Reading 67 2.8 Key Terms, Review Questions, and Problems 68 Chapter 3 User Authentication 72 3.1 Electronic User Authentication Principles 74 3.2 Password-Based Authentication 78 3.3 Token-Based Authentication 90 3.4 Biometric Authentication 96 3.5 Remote User Authentication 100 v vi   Contents 3.6 Security Issues for User Authentication 103 3.7 Practical Application: An Iris Biometric System 105 3.8 Case Study: Security Problems for Atm Systems 107 3.9 Recommended Reading 110 3.10 Key Terms, Review Questions, and Problems 110 Chapter 4 Access Control 113 4.1 Access Control Principles 114 4.2 Subjects, Objects, and Access Rights 117 4.3 Discretionary Access Control 118 4.4 Example: UNIX File Access Control 124 4.5 Role-Based Access Control 127 4.6 Attribute-Based Access Control 133 4.7 Identity, Credential, and Access Management 139 4.8 Trust Frameworks 143 4.9 Case Study: RBAC System for a Bank 147 4.10 Recommended Reading 150 4.11 Key Terms, Review Questions, and Problems 151 Chapter 5 Database and Cloud Security 155 5.1 The Need for Database Security 156 5.2 Database Management Systems 157 5.3 Relational Databases 159 5.4 SQL Injection Attacks 163 5.5 Database Access Control 169 5.6 Inference 173 5.7 Database Encryption 176 5.8 Cloud Computing 180 5.9 Cloud Security Risks and Countermeasures 187 5.10 Data Protection in the Cloud 189 5.11 Cloud Security as a Service 189 5.12 Recommended Reading 193 5.13 Key Terms, Review Questions, and Problems 194 Chapter 6 Malicious Software 199 6.1 Types of Malicious Software (Malware) 200 6.2 Advanced Persistent Threat 203 6.3 Propagation—Infected Content—Viruses 204 6.4 Propagation—Vulnerability Exploit—Worms 210 6.5 Propagation—Social Engineering—Spam E-Mail, Trojans 218 6.6 Payload—System Corruption 221 6.7 Payload—Attack Agent—Zombie, Bots 222 6.8 Payload—Information Theft—Keyloggers, Phishing, Spyware 224 6.9 Payload—Stealthing—Backdoors, Rootkits 226 6.10 Countermeasures 229 6.11 Recommended Reading 235 6.12 Key Terms, Review Questions, and Problems 236 Contents   vii Chapter 7 Denial-of-Service Attacks 240 7.1 Denial-of-Service Attacks 241 7.2 Flooding Attacks 248 7.3 Distributed Denial-of-Service Attacks 250 7.4 Application-Based Bandwidth Attacks 252 7.5 Reflector and Amplifier Attacks 254 7.6 Defenses Against Denial-of-Service Attacks 259 7.7 Responding to a Denial-of-Service Attack 263 7.8 Recommended Reading 264 7.9 Key Terms, Review Questions, and Problems 264 Chapter 8 Intrusion Detection 267 8.1 Intruders 268 8.2 Intrusion Detection 272 8.3 Analysis Approaches 275 8.4 Host-Based Intrusion Detection 278 8.5 Network-Based Intrusion Detection 283 8.6 Distributed or Hybrid Intrusion Detection 289 8.7 Intrusion Detection Exchange Format 291 8.8 Honeypots 294 8.9 Example System: Snort 296 8.10 Recommended Reading 300 8.11 Key Terms, Review Questions, and Problems 300 Chapter 9 Firewalls and Intrusion Prevention Systems 304 9.1 The Need for Firewalls 305 9.2 Firewall Characteristics and Access Policy 306 9.3 Types of Firewalls 308 9.4 Firewall Basing 314 9.5 Firewall Location and Configurations 317 9.6 Intrusion Prevention Systems 322 9.7 Example: Unified Threat Management Products 326 9.8 Recommended Reading 330 9.9 Key Terms, Review Questions, and Problems 331 Part Two Software Security and Trusted Systems 336 Chapter 10 Buffer Overflow 336 10.1 Stack Overflows 338 10.2 Defending Against Buffer Overflows 359 10.3 Other Forms of Overflow Attacks 365 10.4 Recommended Reading 372 10.5 Key Terms, Review Questions, and Problems 372 Chapter 11 Software Security 375 11.1 Software Security Issues 376 11.2 Handling Program Input 380 viii   Contents 11.3 11.4 11.5 11.6 11.7 Chapter 12 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 12.9 12.10 Chapter 13 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 Writing Safe Program Code 392 Interacting with the Operating System and Other Programs 396 Handling Program Output 409 Recommended Reading 411 Key Terms, Review Questions, and Problems 412 Operating System Security 416 Introduction to Operating System Security 418 System Security Planning 419 Operating Systems Hardening 419 Application Security 424 Security Maintenance 425 Linux/Unix Security 426 Windows Security 430 Virtualization Security 432 Recommended Reading 436 Key Terms, Review Questions, and Problems 437 Trusted Computing and Multilevel Security 439 The Bell-LaPadula Model for Computer Security 440 Other Formal Models for Computer Security 450 The Concept of Trusted Systems 456 Application of Multilevel Security 459 Trusted Computing and the Trusted Platform Module 465 Common Criteria for Information Technology Security Evaluation 469 Assurance and Evaluation 475 Recommended Reading 480 Key Terms, Review Questions, and Problems 481 Part Three Management Issues 485 Chapter 14 IT Security Management and Risk Assessment 485 14.1 IT Security Management 486 14.2 Organizational Context and Security Policy 489 14.3 Security Risk Assessment 492 14.4 Detailed Security Risk Analysis 495 14.5 Case Study: Silver Star Mines 507 14.6 Recommended Reading 512 14.7 Key Terms, Review Questions, and Problems 513 Chapter 15 IT Security Controls, Plans, and Procedures 515 15.1 IT Security Management Implementation 516 15.2 Security Controls or Safeguards 516 15.3 IT Security Plan 524 15.4 Implementation of Controls 525 15.5 Monitoring Risks 526 15.6 Case Study: Silver Star Mines 529 15.7 Recommended Reading 532 15.8 Key Terms, Review Questions, and Problems 532 Contents   ix Chapter 16 Physical and Infrastructure Security 534 16.1 Overview 535 16.2 Physical Security Threats 536 16.3 Physical Security Prevention and Mitigation Measures 543 16.4 Recovery From Physical Security Breaches 546 16.5 Example: A Corporate Physical Security Policy 546 16.6 Integration of Physical and Logical Security 547 16.7 Recommended Reading 553 16.8 Key Terms, Review Questions, and Problems 554 Chapter 17 Human Resources Security 556 17.1 17.2 17.3 17.4 17.5 17.6 Security Awareness, Training, and Education 557 Employment Practices and Policies 563 E-Mail and Internet Use Policies 566 Computer Security Incident Response Teams 567 Recommended Reading 574 Key Terms, Review Questions, and Problems 575 Chapter 18 Security Auditing 577 18.1 Security Auditing Architecture 579 18.2 Security Audit Trail 584 18.3 Implementing the Logging Function 588 18.4 Audit Trail Analysis 600 18.5 Example: An Integrated Approach 604 18.6 Recommended Reading 607 18.7 Key Terms, Review Questions, and Problems 608 Chapter 19 Legal and Ethical Aspects 610 19.1 Cybercrime and Computer Crime 611 19.2 Intellectual Property 615 19.3 Privacy 621 19.4 Ethical Issues 626 19.5 Recommended Reading 633 19.6 Key Terms, Review Questions, and Problems 634 Part Four Cryptographic Algorithms 637 Chapter 20 Symmetric Encryption and Message Confidentiality 637 20.1 Symmetric Encryption Principles 638 20.2 Data Encryption Standard 643 20.3 Advanced Encryption Standard 645 20.4 Stream Ciphers and RC4 651 20.5 Cipher Block Modes of Operation 655 20.6 Location of Symmetric Encryption Devices 660 20.7 Key Distribution 662 20.8 Recommended Reading 664 20.9 Key Terms, Review Questions, and Problems 664 x   Contents Chapter 21 Public-Key Cryptography and Message Authentication 669 21.1 Secure Hash Functions 670 21.2 HMAC 675 21.3 The RSA Public-Key Encryption Algorithm 679 21.4 Diffie-Hellman and Other Asymmetric Algorithms 684 21.5 Recommended Reading 689 21.6 Key Terms, Review Questions, and Problems 689 Part Five Network Security 693 Chapter 22 Internet Security Protocols and Standards 693 22.1 Secure E-Mail and S/MIME 694 22.2 DomainKeys Identified Mail 697 22.3 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) 700 22.4 HTTPS 707 22.5 IPv4 and IPv6 Security 708 22.6 Recommended Reading 714 22.7 Key Terms, Review Questions, and Problems 714 Chapter 23 Internet Authentication Applications 717 23.1 Kerberos 718 23.2 X.509 724 23.3 Public-Key Infrastructure 727 23.4 Recommended Reading 729 23.5 Key Terms, Review Questions, and Problems 730 Chapter 24 Wireless Network Security 733 24.1 Wireless Security 734 24.2 Mobile Device Security 737 24.3 IEEE 802.11 Wireless LAN Overview 741 24.4 IEEE 802.11i Wireless LAN Security 747 24.5 Recommended Reading 762 24.6 Key Terms, Review Questions, and Problems 763 Appendix A Projects and Other Student Exercises for Teaching Computer Security 765 A.1 Hacking Project 765 A.2 Laboratory Exercises 766 A.3 Security Education (SEED) Projects 766 A.4 Research Projects 768 A.5 Programming Projects 769 A.6 Practical Security Assessments 769 A.7 Firewall Projects 769 A.8 Case Studies 770 A.9 Reading/Report Assignments 770 A.10 Writing Assignments 770 A.11 Webcasts for Teaching Computer Security 771 Acronyms 772 References 773 Index 791 Contents   xi Online Chapters and Appendices1 Chapter 25 Linux Security 25.1 Introduction 25.2 Linux’s Security Model 25.3 The Linux DAC in Depth: Filesystem Security 25.4 Linux Vulnerabilities 25.5 Linux System Hardening 25.6 Application Security 25.7 Mandatory Access Controls 25.8 Recommended Reading 25.9 Key Terms, Review Questions, and Problems Chapter 26 Windows and Windows Vista Security 26.1 Windows Security Architecture 26.2 Windows Vulnerabilities 26.3 Windows Security Defenses 26.4 Browser Defenses 26.5 Cryptographic Services 26.6 Common Criteria 26.7 Recommended Reading 26.8 Key Terms, Review Questions, Problems, and Projects Appendix B Some Aspects of Number Theory Appendix C Standards and Standard-Setting Organizations Appendix D Random and Pseudorandom Number Generation Appendix E Message Authentication Codes Based on Block Ciphers Appendix F TCP/IP Protocol Architecture Appendix G Radix-64 Conversion Appendix H Security Policy-Related Documents Appendix I The Domain Name System Appendix J The Base-Rate Fallacy Appendix K SHA-3 Appendix L Glossary 1 Online chapters, appendices, and other documents are Premium Content, available via the access card at the front of this book. Preface What’s New in the Third Edition Since the second edition of this book was published, the field has seen continued innovations and improvements. In this new edition, we try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. To begin the process of revision, the second edition of this book was extensively reviewed by a number of professors who teach the subject and by professionals working in the field. The result is that in many places the narrative has been clarified and tightened, and illustrations have been improved. Beyond these refinements to improve pedagogy and user-friendliness, there have been major substantive changes throughout the book. The most noteworthy changes are as follows: • Fundamental security design principles: Chapter 1 includes a new section discussing the security design principles listed as fundamental by the National Centers of Academic Excellence in Information Assurance/Cyber Defense, which is jointly sponsored by the U.S. National Security Agency and the U.S. Department of Homeland Security. • Attack surfaces and attack trees: Chapter 1 includes a new section describing these two concepts, which are useful in evaluating and classifying security threats. • User authentication model: Chapter 3 includes a new description of a general model for user authentication, which helps to unify the discussion of the various approaches to user authentication. • Attribute-based access control (ABAC): Chapter 4 has a new section devoted to ABAC, which is becoming increasingly widespread. • Identity, credential, and access management (ICAM): Chapter 4 includes a new section on ICAM, which is a comprehensive approach to managing and implementing digital identities (and associated attributes), credentials, and access control. • Trust frameworks: Chapter 4 includes a new section on the Open Identity Trust Framework, which is an open, standardized approach to trustworthy identity and attribute exchange that is becoming increasingly widespread. • SQL injection attacks: Chapter 5 includes a new section on the SQL injection attack, which is one of the most prevalent and dangerous network-based security threats. • Cloud security: The material on cloud security in Chapter 5 has been updated and expanded to reflect its importance and recent developments. • Malware: The material on Malware, and on categories of intruders, has been revised to reflect the latest developments, including details of Advanced Persistent Threats, which are most likely due to nation state actors. • Intrusion detection/intrusion prevention systems: The material on IDS/IPS has been updated to reflect new developments in the field, including the latest developments in Host-Based Intrusion Detection Systems that assist in implementing a defense-in-depth strategy. xii Preface   xiii • Human resources: Security lapses due to human factors and social engineering are of increasing concern, including several recent cases of massive data exfiltration by insiders. Addressing such lapses requires a complex mix of procedural and technical controls, which we review in several significantly revised sections. • Mobile device security: Mobile device security has become an essential aspect of enterprise network security, especially for devices in the category known as bring your own device (BYOD). A new section in Chapter 24 covers this important topic. • SHA-3: This recently adopted cryptographic hash standard is covered in a new appendix. Background Interest in education in computer security and related topics has been growing at a dramatic rate in recent years. This interest has been spurred by a number of factors, two of which stand out: 1. As information systems, databases, and Internet-based distributed systems and communication have become pervasive in the commercial world, coupled with the increased intensity and sophistication of security-related attacks, organizations now recognize the need for a comprehensive security strategy. This strategy encompasses the use of specialized hardware and software and trained personnel to meet that need. 2. Computer security education, often termed information security education or information assurance education, has emerged as a national goal in the United States and other countries, with national defense and homeland security implications. The NSA/DHS National Center of Academic Excellence in Information Assurance/Cyber Defense is spearheading a government role in the development of standards for computer security education. Accordingly, the number of courses in universities, community colleges, and other institutions in computer security and related areas is growing. Objectives The objective of this book is to provide an up-to-date survey of developments in computer security. Central problems that confront security designers and security administrators include defining the threats to computer and network systems, evaluating the relative risks of these threats, and developing cost-effective and user friendly countermeasures. The following basic themes unify the discussion: • Principles: Although the scope of this book is broad, there are a number of basic principles that appear repeatedly as themes and that unify this field. Examples are issues relating to authentication and access control. The book highlights these principles and examines their application in specific areas of computer security. • Design approaches: The book examines alternative approaches to meeting specific computer security requirements. • Standards: Standards have come to assume an increasingly important, indeed dominant, role in this field. An understanding of the current status and future direction of technology requires a comprehensive discussion o...