Thursday, December 11, 2008

ebook For Computer Security Art And Science

This highly anticipated book fully introduces the theory and practice of computer security. It is both a comprehensive text, explaining the most fundamental and pervasive aspects of the field, and a detailed reference filled with valuable information for even the most seasoned practitioner. In this one extraordinary volume the author incorporates concepts from computer systems, networks, human factors, and cryptography. In doing so, he effectively demonstrates that computer security is an art as well as a science.

This book has three goals. The first is to show the importance of theory to practice and of practice to theory. All too often, practitioners regard theory as irrelevant and theoreticians think of practice as trivial. In reality, theory and practice are symbiotic. For example, the theory of covert channels, in which the goal is to limit the ability of processes to communicate through shared resources, provides a mechanism for evaluating the effectiveness of mechanisms that confine processes, such as sandboxes and firewalls. Similarly, business practices in the commercial world led to the development of several security policy models such as the Clark-Wilson model and the Chinese Wall model. These models in turn help the designers of security policies better understand and evaluate the mechanisms and procedures needed to secure their sites.

The second goal is to emphasize that computer security and cryptography are different. Although cryptography is an essential component of computer security, it is by no means the only component. Cryptography provides a mechanism for performing specific functions, such as preventing unauthorized people from reading and altering messages on a network. However, unless developers understand the context in which they are using cryptography, and unless the assumptions underlying the protocol and the cryptographic mechanisms apply to the context, the cryptography may not add to the security of the system. The canonical example is the use of cryptography to secure communications between two low-security systems. If only trusted users can access the two systems, cryptography protects messages in transit. But if untrusted users can access either system (through authorized accounts or, more likely, by breaking in), the cryptography is not sufficient to protect the messages. The attackers can read the messages at either endpoint.

The third goal is to demonstrate that computer security is not just a science but also an art. It is an art because no system can be considered secure without an examination of how it is to be used. The definition of a "secure computer" necessitates a statement of requirements and an expression of those requirements in the form of authorized actions and authorized users. (A computer engaged in work at a university may be considered "secure" for the purposes of the work done at the university. When moved to a military installation, that same system may not provide sufficient control to be deemed "secure" for the purposes of the work done at that installation.) How will people, as well as other computers, interact with the computer system? How clear and restrictive an interface can a designer create without rendering the system unusable while trying to prevent unauthorized use or access to the data or resources on the system?

Chapter 01 - An Overview of Computer Security
Chapter 02 - Access Control Matrix
Chapter 03 - Foundational Results
Chapter 04 - Security Policies
Chapter 05 - Confidentiality Policies
Chapter 06 - Integrity Policies
Chapter 07 - Hybrid Policies
Chapter 08 - Noninterference and Policy Composition
Chapter 09 - Basic Cryptography
Chapter 10 - Key Management
Chapter 11 - Cipher Techniques
Chapter 12 - Authentication
Chapter 13 - Design Principles
Chapter 14 - Representing Identity
Chapter 15 - Access Control Mechanisms
Chapter 16 - Information Flow
Chapter 17 - Confinement Problem
Chapter 18 - Introduction to Assurance
Chapter 19 - Building Systems with Assurance
Chapter 20 - Formal Methods
Chapter 21 - Evaluating Systems
Chapter 22 - Malicious Logic
Chapter 23 - Vulnerability Analysis
Chapter 24 - Auditing
Chapter 25 - Intrusion Detection
Chapter 26 - Network Security
Chapter 27 - System Security
Chapter 28 - User Security
Chapter 29 - Program Security
Chapter 30 - Lattices
Chapter 31 - The Extended Euclidean Algorithm
Chapter 32 - Entropy and Uncertainty
Chapter 33 - Virtual Machines
Chapter 34 - Symbolic Logic
Chapter 35 - Example Academic Security Policy

No comments: