Beautiful Security. Leading Security Experts Explain How They Think - Helion
ISBN: 978-05-965-5554-2
stron: 302, Format: ebook
Data wydania: 2009-04-17
Księgarnia: Helion
Cena książki: 118,15 zł (poprzednio: 137,38 zł)
Oszczędzasz: 14% (-19,23 zł)
Although most people don't give security much attention until their personal or business systems are attacked, this thought-provoking anthology demonstrates that digital security is not only worth thinking about, it's also a fascinating topic. Criminals succeed by exercising enormous creativity, and those defending against them must do the same.
Beautiful Security explores this challenging subject with insightful essays and analysis on topics that include:
- The underground economy for personal information: how it works, the relationships among criminals, and some of the new ways they pounce on their prey
- How social networking, cloud computing, and other popular trends help or hurt our online security
- How metrics, requirements gathering, design, and law can take security to a higher level
- The real, little-publicized history of PGP
This book includes contributions from:
- Peiter "Mudge" Zatko
- Jim Stickley
- Elizabeth Nichols
- Chenxi Wang
- Ed Bellis
- Ben Edelman
- Phil Zimmermann and Jon Callas
- Kathy Wang
- Mark Curphey
- John McManus
- James Routh
- Randy V. Sabett
- Anton Chuvakin
- Grant Geyer and Brian Dunphy
- Peter Wayner
- Michael Wood and Fernando Francisco
All royalties will be donated to the Internet Engineering Task Force (IETF).
Osoby które kupowały "Beautiful Security. Leading Security Experts Explain How They Think", wybierały także:
- Securing Network Infrastructure 199,33 zł, (29,90 zł -85%)
- Implementing Azure: Putting Modern DevOps to Use 175,88 zł, (29,90 zł -83%)
- Industrial Internet Application Development 157,37 zł, (29,90 zł -81%)
- Web Penetration Testing with Kali Linux - Third Edition 157,37 zł, (29,90 zł -81%)
- Nmap: Network Exploration and Security Auditing Cookbook - Second Edition 157,37 zł, (29,90 zł -81%)
Spis treści
Beautiful Security. Leading Security Experts Explain How They Think eBook -- spis treści
- Beautiful Security
- SPECIAL OFFER: Upgrade this ebook with OReilly
- Preface
- Why Security Is Beautiful
- Audience for This Book
- Donation
- Organization of the Material
- Conventions Used in This Book
- Using Code Examples
- Safari Books Online
- How to Contact Us
- 1. Psychological Security Traps
- Learned Helplessness and Naveté
- A Real-Life Example: How Microsoft Enabled L0phtCrack
- Password and Authentication Security Could Have Been Better from the Start
- Naveté As the Client Counterpart to Learned Helplessness
- Confirmation Traps
- An Introduction to the Concept
- The Analyst Confirmation Trap
- Stale Threat Modeling
- Rationalizing Away Capabilities
- Functional Fixation
- Vulnerability in Place of Security
- Sunk Costs Versus Future Profits: An ISP Example
- Sunk Costs Versus Future Profits: An Energy Example
- Summary
- Learned Helplessness and Naveté
- 2. Wireless Networking: Fertile Ground for Social Engineering
- Easy Money
- Setting Up the Attack
- A Cornucopia of Personal Data
- A Fundamental Flaw in Web Security: Not Trusting the Trust System
- Establishing Wireless Trust
- Adapting a Proven Solution
- Wireless Gone Wild
- Wireless As a Side Channel
- What About the Wireless Access Point Itself?
- Still, Wireless Is the Future
- Easy Money
- 3. Beautiful Security Metrics
- Security Metrics by Analogy: Health
- Unreasonable Expectations
- Data Transparency
- Reasonable Metrics
- Security Metrics by Example
- Barings Bank: Insider Breach
- The players
- How it happened
- What went wrong
- Barings: What if...
- Barings: Some security metrics
- TJX: Outsider Breach
- The players
- How it happened
- What went wrong
- TJX: What if...
- TJX: Some security metrics
- Global metrics
- Local metrics
- More Public Data Sources
- Barings Bank: Insider Breach
- Summary
- Security Metrics by Analogy: Health
- 4. The Underground Economy of Security Breaches
- The Makeup and Infrastructure of the Cyber Underground
- The Underground Communication Infrastructure
- The Attack Infrastructure
- The Payoff
- The Data Exchange
- Information Sources
- Attack Vectors
- Exploiting website vulnerabilities
- Malware
- Phishing, facilitated by social-engineering spam
- The Money-Laundering Game
- How Can We Combat This Growing Underground Economy?
- Devalue Data
- Separate Permission from Information
- Institute an Incentive/Reward Structure
- Establish a Social Metric and Reputation System for Data Responsibility
- Summary
- The Makeup and Infrastructure of the Cyber Underground
- 5. Beautiful Trade: Rethinking E-Commerce Security
- Deconstructing Commerce
- Analyzing the Security Context
- Weak Amelioration Attempts
- 3-D Secure
- 3-D Secure transactions
- Evaluation of 3-D Secure
- Secure Electronic Transaction
- SET transactions
- Evaluation of SET
- Single-Use and Multiple-Use Virtual Cards
- How virtual cards work
- Broken Incentives
- Consumer
- Merchant and service provider
- Acquiring and issuing banks
- Card association
- He who controls the spice
- 3-D Secure
- E-Commerce Redone: A New Security Model
- Requirement 1: The Consumer Must Be Authenticated
- Requirement 2: The Merchant Must Be Authenticated
- Requirement 3: The Transaction Must Be Authorized
- Requirement 4: Authentication Data Should Not Be Shared Outside of Authenticator and Authenticated
- Requirement 5: The Process Must Not Rely Solely on Shared Secrets
- Requirement 6: Authentication Should Be Portable (Not Tied to Hardware or Protocols)
- Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
- The New Model
- Deconstructing Commerce
- 6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West
- Attacks on Users
- Exploit-Laden Banner Ads
- Malvertisements
- Deceptive Advertisements
- Advertisers As Victims
- False Impressions
- Escaping Fraud-Prone CPM Advertising
- Gaming CPC advertising
- Inflating CPA costs
- Why Dont Advertisers Fight Harder?
- Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
- Creating Accountability in Online Advertising
- Attacks on Users
- 7. The Evolution of PGPs Web of Trust
- PGP and OpenPGP
- Trust, Validity, and Authority
- Direct Trust
- Hierarchical Trust
- Cumulative Trust
- The Basic PGP Web of Trust
- Rough Edges in the Original Web of Trust
- Supervalidity
- The social implications of signing keys
- PGP and Crypto History
- Early PGP
- Patent and Export Problems
- The Crypto Wars
- From PGP 3 to OpenPGP
- Enhancements to the Original Web of Trust Model
- Revocation
- The basic model for revocation
- Key revocation and expiration
- Designated revokers
- Freshness
- Reasons for revocation
- Scaling Issues
- Extended introducers
- Authoritative keys
- Signature Bloat and Harassment
- Exportable signatures
- Key-editing policies
- In-Certificate Preferences
- The PGP Global Directory
- Variable Trust Ratings
- Revocation
- Interesting Areas for Further Research
- Supervalidity
- Social Networks and Traffic Analysis
- References
- 8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits
- Enter Honeyclients
- Introducing the Worlds First Open Source Honeyclient
- Second-Generation Honeyclients
- Honeyclient Operational Results
- Transparent Activity from Windows XP
- Storing and Correlating Honeyclient Data
- Analysis of Exploits
- Limitations of the Current Honeyclient Implementation
- Related Work
- The Future of Honeyclients
- 9. Tomorrows Security Cogs and Levers
- Cloud Computing and Web Services: The Single Machine Is Here
- Builders Versus Breakers
- Clouds and Web Services to the Rescue
- A New Dawn
- Connecting People, Process, and Technology: The Potential for Business Process Management
- Diffuse Security in a Diffuse World
- BPM As a Guide to Multisite Security
- Social Networking: When People Start Communicating, Big Things Change
- The State of the Art and the Potential in Social Networking
- Social Networking for the Security Industry
- Security in Numbers
- Information Security Economics: Supercrunching and the New Rules of the Grid
- Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
- Democratization of Tools for Production
- Democratization of Channels for Distribution
- Connection of Supply and Demand
- Conclusion
- Acknowledgments
- Cloud Computing and Web Services: The Single Machine Is Here
- 10. Security by Design
- Metrics with No Meaning
- Time to Market or Time to Quality?
- How a Disciplined System Development Lifecycle Can Help
- Conclusion: Beautiful Security Is an Attribute of Beautiful Systems
- 11. Forcing Firms to Focus: Is Secure Software in Your Future?
- Implicit Requirements Can Still Be Powerful
- How One Firm Came to Demand Secure Software
- How I Put a Security Plan in Place
- Choosing a focus and winning over management
- Setting up formal quality processes for security
- Developer training
- When the security process really took hold
- Fixing the Problems
- Extending Our Security Initiative to Outsourcing
- How I Put a Security Plan in Place
- Enforcing Security in Off-the-Shelf Software
- Analysis: How to Make the Worlds Software More Secure
- The Best Software Developers Create Code with Vulnerabilities
- Microsoft Leading the Way
- Software Vendors Give Us What We Want but Not What We Need
- 12. Oh No, Here Come the Infosecurity Lawyers!
- Culture
- Balance
- The Digital Signature Guidelines
- The California Data Privacy Law
- Securitys Return on Investment
- Communication
- How Geeks Need Lawyers
- Success Driven from the Top, Carried Out Through Collaboration
- A Data Breach Tiger Team
- Doing the Right Thing
- 13. Beautiful Log Handling
- Logs in Security Laws and Standards
- Focus on Logs
- When Logs Are Invaluable
- Challenges with Logs
- Case Study: Behind a Trashed Server
- Architecture and Context for the Incident
- The Observed Event
- The Investigation Starts
- Bringing Data Back from the Dead
- Summary
- Future Logging
- A Proliferation of Sources
- Log Analysis and Management Tools of the Future
- Conclusions
- 14. Incident Detection: Finding the Other 68%
- A Common Starting Point
- Improving Detection with Context
- Improving Coverage with Traffic Analysis
- Correlating with Watch Lists
- Improving Perspective with Host Logging
- Building a Resilient Detection Model
- Summary
- 15. Doing Real Work Without Real Data
- How Data Translucency Works
- A Real-Life Example
- Personal Data Stored As a Convenience
- Trade-offs
- Going Deeper
- References
- 16. Casting Spells: PC Security Theater
- Growing Attacks, Defenses in Retreat
- On the Conveyor Belt of the Internet
- Rewards for Misbehavior
- A Mob Response
- The Illusion Revealed
- Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
- The evolution of the blacklist method
- The whitelist alternative
- Host-based Intrusion Prevention Systems
- Applying artificial intelligence
- Sandboxing and Virtualization: The New Silver Bullets
- Virtual machines, host and guest
- Security-specific virtualization
- Security of saved files in Returnil
- Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
- Better Practices for Desktop Security
- Conclusion
- Growing Attacks, Defenses in Retreat
- A. Contributors
- Index
- About the Authors
- Colophon
- SPECIAL OFFER: Upgrade this ebook with OReilly