Slamming the door on security threats just got easier for IT professionals. This total resource on security design and operations puts today's most powerful tools and techniques at their command, providing the latest hands-on expertise on everything from access control to privacy enhancement. Written by an international team of experts, this one-stop reference maps out the latest user authentication methods, as well as authorization and access controls and their applications in today's database systems. The book addresses network security in depth, offering a fresh look at anti-intrusion approaches, intrusion detection systems, authentication and authorization infrastructures, identity certificates, smart cards, and tokens.
Author(s): Steven M. Furnell, Sokratis Katsikas, Javier Lopez, Ahmed Patel
Edition: 1
Year: 2008
Language: English
Pages: 362
Contents......Page 6
Preface......Page 14
CHAPTER 1 Introduction......Page 16
2.1 Definitions......Page 20
2.2.2 Vulnerabilities......Page 23
2.2.3 Attacks and Misuse......Page 24
2.2.4 Impacts and Consequences of Security Breaches......Page 26
2.3 Security Services and Safeguards......Page 27
2.3.2 Security Objectives......Page 29
2.3.3 Perspectives on Protection......Page 30
2.4 Conclusions......Page 34
References......Page 35
3.1 Business-Integrated Information Security Management......Page 36
3.2 Applying The PDCA Model to Manage Information Security......Page 37
3.3 Information Security Management Through Business Process Management......Page 39
3.4 Factors Affecting the Use of Systematic Managerial Tools in Business-Integrated Information Security Management......Page 42
3.5 Information Security Management Standardization and International Business Management......Page 43
3.6 Business Continuity Management......Page 46
References......Page 48
CHAPTER 4 User Authentication Technologies......Page 50
4.1.2 Passwords......Page 51
4.1.3 Alternative Secret-Knowledge Approaches......Page 55
4.1.4 Attacks Against Secret-Knowledge Approaches......Page 59
4.2.2 Token Technologies......Page 60
4.2.4 Attacks Against Tokens......Page 62
4.3.1 Principles of Biometric Technology......Page 63
4.3.2 Biometric Technologies......Page 66
4.3.3 Attacks Against Biometrics......Page 70
4.4 Operational Considerations......Page 71
4.5 Conclusions......Page 72
References......Page 73
5.1 Discretionary Access Control (DAC)......Page 76
5.1.1 Implementation Alternatives......Page 77
5.1.2 Discussion of DAC......Page 78
5.2.1 Need-to-Know Model......Page 79
5.2.2 Military Security Model......Page 80
5.3.1 Personal Knowledge Approach......Page 82
5.3.2 Clark and Wilson Model......Page 83
5.3.3 Chinese Wall Policy......Page 84
5.4 Role-Based Access Control......Page 85
5.4.1 Core RBAC......Page 86
5.4.2 Hierarchical RBAC......Page 87
5.4.3 Constraint RBAC......Page 88
5.5 Attribute-Based Access Control......Page 89
5.5.1 ABAC—A Unified Model for Attribute-Based Access Control......Page 90
5.5.2 Designing ABAC Policies with UML......Page 92
5.5.3 Representing Classic Access Control Models......Page 94
5.5.4 Extensible Access Control Markup Language......Page 95
5.6 Conclusions......Page 99
References......Page 100
6.1 Security in Relational Databases......Page 102
6.1.1 View-Based Protection......Page 103
6.1.2 SQL Grant/Revoke......Page 105
6.1.3 Structural Limitations......Page 108
6.2 Multilevel Secure Databases......Page 109
6.2.1 Polyinstantiation and Side Effects......Page 111
6.2.2 Structural Limitations......Page 112
6.3.1 Taxonomy of Design Choices......Page 114
6.3.2 Alternatives Chosen in IRO-DB......Page 116
6.4 Conclusions......Page 117
References......Page 118
7.1 Introduction......Page 120
7.2 Encryption for Secrecy Protection......Page 121
7.2.1 Symmetric Encryption......Page 123
7.2.2 Public Key Encryption......Page 129
7.3.1. Symmetric Authentication......Page 136
7.3.2 Digital Signatures......Page 140
7.4.1 Different Approaches in Cryptography......Page 142
7.4.2 Life Cycle of a Cryptographic Algorithm......Page 144
7.4.3 Insecure Versus Secure Algorithms......Page 145
7.5 Conclusions......Page 148
References......Page 149
8.1 Network Security Architectures......Page 154
8.1.2 ISO/OSI Network Security Services......Page 155
8.1.3 Internet Security Architecture......Page 157
8.2.2 Point-to-Point Tunneling Protocol (PPTP)......Page 159
8.3 Security at the Internet Layer......Page 160
8.3.1 IP Security Protocol (IPSP)......Page 161
8.3.2 Internet Key Exchange Protocol......Page 163
8.4 Security at the Transport Layer......Page 164
8.4.1 Secure Shell......Page 165
8.4.2 The Secure Sockets Layer Protocol......Page 166
8.4.3 Transport Layer Security Protocol......Page 167
8.5.1 Secure Email......Page 168
8.5.2 Web Transactions......Page 169
8.5.4 Network Management......Page 170
8.5.5 Distributed Authentication and Key Distribution Systems......Page 172
8.6 Security in Wireless Networks......Page 173
8.7 Network Vulnerabilities......Page 176
8.8.1 Types of Attacks......Page 177
8.8.3 Typical Attack Scenario......Page 179
8.9 Anti-Intrusion Approaches......Page 180
8.9.1 Intrusion Detection and Prevention Systems......Page 181
References......Page 182
9.1 Key Management and Authentication......Page 186
9.2 Public Key Infrastructures......Page 189
9.2.1 PKI Services......Page 191
9.2.2 Types of PKI Entities and Their Functionalities......Page 199
9.3 Privilege Management Infrastructures......Page 201
References......Page 205
10.1 New Applications, New Threats......Page 208
10.1.1 Typical Smart Card Application Domains......Page 210
10.1.2 The World of Tokens......Page 211
10.1.3 New Threats for Security and Privacy......Page 212
10.2 Smart Cards......Page 213
10.2.1 Architecture......Page 214
10.2.2 Smart Card Operating System......Page 215
10.2.3 Communication Protocols......Page 216
10.3 Side-Channel Analysis......Page 217
10.3.1 Power-Analysis Attacks......Page 218
10.3.2 Countermeasures Against DPA......Page 220
10.4 Toward the Internet of Things......Page 221
10.4.1 Advanced Contactless Technology......Page 222
10.4.2 Cloning and Authentication......Page 223
10.4.3 Privacy and Espionage......Page 224
References......Page 225
CHAPTER 11 Privacy and Privacy-Enhancing Technologies......Page 228
11.1 The Concept of Privacy......Page 229
11.2.1 Location-Based Services......Page 230
11.2.2 Radio Frequency Identification......Page 232
11.3 Legal Privacy Protection......Page 233
11.3.1 EU Data Protection Directive 95/46/EC......Page 234
11.3.2 EU E-Communications Directive 2002/58/EC......Page 236
11.3.3 Data Retention Directive 2006/24/EC......Page 237
11.3.4 Privacy Legislation in the United States......Page 238
11.4.1 Class 1: PETs for Minimizing or Avoiding Personal Data......Page 239
11.4.2 Class 2: PETs for the Safeguarding of Lawful Data Processing......Page 240
11.4.3 Class 3: PETs Providing a Combination of Classes 1 & 2......Page 241
11.5 Privacy Enhancing Technologies for Anonymous Communication......Page 242
11.5.1 Broadcast Networks and Implicit Addresses......Page 243
11.5.2 DC-Networks......Page 244
11.5.3 Mix Nets......Page 246
11.5.4 Private Information Retrieval......Page 247
11.5.5 New Protocols Against Local Attacker Model: Onion Routing, Web Mixes, and P2P Mechanisms......Page 249
11.6 Spyware and Spyware Countermeasures......Page 252
References......Page 254
12.1 Filtering: A Technical Solution as a Legal Solution or Imperative?......Page 258
12.1.1 Filtering Categories......Page 259
12.1.2 A Legal Issue......Page 260
12.2.1 Blocking at the Content Distribution Mechanism......Page 261
12.2.2 Blocking at the End-User Side......Page 263
12.3 Content-Filtering Tools......Page 268
12.4 Under- and Overblocking: Is Filtering Effective?......Page 269
12.5.1 The U.S. Approach......Page 270
12.5.2 The European Approach......Page 271
12.5.3 Filtering As Privatization of Censorship?......Page 272
12.6 Filtering As Cross-National Issue......Page 274
12.6.1 Differing Constitutional Values: The Case of Yahoo!......Page 275
12.6.2 Territoriality, Sovereignty, and Jurisdiction in the Internet Era......Page 276
References......Page 277
13.1 Definitions......Page 282
13.2 Comprehensive Model of Cybercrime Investigation......Page 284
13.2.1 Existing Models......Page 285
13.2.2 The Extended Model......Page 287
13.2.4 Advantages and Disadvantages of the Model......Page 293
13.3 Protecting the Evidence......Page 294
13.3.3 User Authentication......Page 295
13.4 Conclusions......Page 296
References......Page 297
14.2 Theoretical Background to the Systemic-Holistic Model......Page 298
14.3 The Systemic-Holistic Model and Approach......Page 300
14.4 Security and Control Versus Risk—Cybernetics......Page 305
14.5.1 Soft System Methodology......Page 309
14.5.2 General Living Systems Theory......Page 314
14.5.3 Beer’s Viable Systems Model......Page 317
14.6 Can Theory and Practice Unite?......Page 319
References......Page 320
15.1 Requirements for an Internet-Based E-Voting System......Page 322
15.1.1 Functional Requirements......Page 323
15.2 Cryptography and E-Voting Protocols......Page 326
15.2.1 Cryptographic Models for Remote E-Voting......Page 327
15.2.2 Cryptographic Protocols for Polling-Place E-Voting......Page 332
15.3 Conclusions......Page 333
References......Page 334
CHAPTER 16 On Mobile Wiki Systems Security......Page 338
16.1 Blending Wiki and Mobile Technology......Page 340
16.2 Background Information......Page 341
16.3 The Proposed Solution......Page 343
16.3.1 General Issues......Page 344
16.3.2 Architecture......Page 345
16.3.3 Authentication and Key Agreement Protocol Description......Page 346
16.3.4 Confidentiality & Integrity of Communication......Page 348
References......Page 349
About the Authors......Page 352
Index......Page 362
