SD State University Using Machine Learning to Design an Authentication System Paper (3-6 written pages, APA Format)Outline the design of an authentication

SD State University Using Machine Learning to Design an Authentication System Paper (3-6 written pages, APA Format)Outline the design of an authentication scheme that “learns” by observing user behavior over time. The more it observes a user the better job of authentication it can do. Asking questions like, “what is your father’s middle name,” at the time an account is set up, is not learning over time. That is a baseline from which the system starts to learn. The authentication scheme would start with certain primitive information about a user, such as name and password. As the use of the computing system continued, the authentication system could gather such information as commonly used programming languages; commonly used applications, dates, times, and lengths of computing sessions; use of distinctive resources and anything else you can think of. The authentication challenges would become more individualized as the system learned more information about the user.Your design should include a list of many pieces of information about a user that the system could collect. It is permissible for the system to ask an authenticated user for certain additional information, as time goes by, but the learning should normally be non-intrusive.Your design should also consider the problem of presenting and validating challenges when it sees a user doing things that don’t fit the pattern it has built up. Does the would-be user answer a true-false or a multiple-choice question? Does the system interpret natural language prose? Security
in Computing
FIFTH EDITION
This page intentionally left blank
Security
in Computing
FIFTH EDITION
Charles P. Pfleeger
Shari Lawrence Pfleeger
Jonathan Margulies
Upper Saddle River, NJ • Boston • Indianapolis • San Francisco
New York • Toronto • Montreal • London • Munich • Paris • Madrid
Capetown • Sydney • Tokyo • Singapore • Mexico City
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in this book, and the publisher was
aware of a trademark claim, the designations have been printed with initial capital letters or
in all capitals.
Executive Editor
Bernard Goodwin
The authors and publisher have taken care in the preparation of this book, but make no
expressed or implied warranty of any kind and assume no responsibility for errors or
omissions. No liability is assumed for incidental or consequential damages in connection
with or arising out of the use of the information or programs contained herein.
Managing Editor
John Fuller
For information about buying this title in bulk quantities, or for special sales opportunities
(which may include electronic versions; custom cover designs; and content particular to your
business, training goals, marketing focus, or branding interests), please contact our corporate
sales department at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact international@pearsoned.com.
Visit us on the Web: informit.com/ph
Library of Congress Cataloging-in-Publication Data
Pfleeger, Charles P., 1948–
Security in computing / Charles P. Pfleeger, Shari Lawrence Pfleeger, Jonathan Margulies.—
Fifth edition.
pages cm
Includes bibliographical references and index.
ISBN 978-0-13-408504-3 (hardcover : alk. paper)—ISBN 0-13-408504-3 (hardcover : alk.
paper)
1. Computer security. 2. Data protection. 3. Privacy, Right of. I. Pfleeger, Shari Lawrence.
II. Margulies, Jonathan. III. Title.
QA76.9.A25P45 2015
005.8—dc23
2014038579
Copyright © 2015 Pearson Education, Inc.
All rights reserved. Printed in the United States of America. This publication is protected
by copyright, and permission must be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by any means,
electronic, mechanical, photocopying, recording, or likewise. To obtain permission to
use material from this work, please submit a written request to Pearson Education, Inc.,
Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you
may fax your request to (201) 236-3290.
ISBN-13: 978-0-13-408504-3
ISBN-10: 0-13-408504-3
Text printed in the United States on recycled paper at Courier in Westford, Massachusetts.
First printing, January 2015
Editorial Assistant
Michelle Housley
Project Editor
Elizabeth Ryan
Copy Editor
Mary Lou Nohr
Proofreader
Linda Begley
Cover Designer
Alan Clements
Compositor
Shepherd, Inc.
To Willis Ware, a hero of
computer security and privacy.
This page intentionally left blank
Contents
Chapter 1
Foreword
xix
Preface
xxv
Acknowledgments
xxxi
About the Authors
xxxiii
Introduction
1
1.1
What Is Computer Security?
2
Values of Assets
The Vulnerability–Threat–Control Paradigm
4
5
Threats
6
1.2
1.3
1.4
1.5
1.6
1.7
1.8
Confidentiality
Integrity
Availability
Types of Threats
Types of Attackers
8
10
11
13
16
Harm
21
Risk and Common Sense
Method–Opportunity–Motive
22
26
Vulnerabilities
Controls
Conclusion
What’s Next?
Exercises
28
28
31
32
34
vii
viii
Contents
Chapter 2
Toolbox: Authentication, Access Control,
and Cryptography
36
2.1
2.2
2.3
2.4
Chapter 3
Authentication
38
Identification Versus Authentication
38
Authentication Based on Phrases and Facts:
Something You Know
Authentication Based on Biometrics: Something You Are
Authentication Based on Tokens: Something You Have
Federated Identity Management
Multifactor Authentication
Secure Authentication
40
53
65
68
70
70
Access Control
72
Access Policies
Implementing Access Control
Procedure-Oriented Access Control
Role-Based Access Control
72
75
85
85
Cryptography
86
Problems Addressed by Encryption
Terminology
DES: The Data Encryption Standard
AES: Advanced Encryption System
Public Key Cryptography
Public Key Cryptography to Exchange Secret Keys
Error Detecting Codes
Trust
Certificates: Trustable Identities and Public Keys
Digital Signatures—All the Pieces
87
87
95
98
100
103
109
117
121
124
Exercises
127
Programs and Programming
131
3.1
Unintentional (Nonmalicious) Programming Oversights
133
Buffer Overflow
Incomplete Mediation
Time-of-Check to Time-of-Use
Undocumented Access Point
Off-by-One Error
Integer Overflow
134
152
155
157
159
160
Contents
3.2
3.3
Chapter 4
ix
Unterminated Null-Terminated String
Parameter Length, Type, and Number
Unsafe Utility Program
Race Condition
161
162
162
163
Malicious Code—Malware
166
Malware—Viruses, Trojan Horses, and Worms
Technical Details: Malicious Code
167
176
Countermeasures
196
Countermeasures for Users
Countermeasures for Developers
Countermeasure Specifically for Security
Countermeasures that Don’t Work
197
203
216
224
Conclusion
Exercises
229
229
The Web—User Side
232
4.1
4.2
4.3
4.4
4.5
4.6
Browser Attacks
234
Browser Attack Types
How Browser Attacks Succeed: Failed Identification
and Authentication
234
Web Attacks Targeting Users
245
False or Misleading Content
Malicious Web Content
Protecting Against Malicious Web Pages
246
253
259
Obtaining User or Website Data
260
Code Within Data
Website Data: A User’s Problem, Too
Foiling Data Attacks
261
265
266
240
Email Attacks
267
Fake Email
Fake Email Messages as Spam
Fake (Inaccurate) Email Header Data
Phishing
Protecting Against Email Attacks
267
267
273
274
275
Conclusion
Exercises
277
278
x
Contents
Chapter 5
Operating Systems
280
5.1
Security in Operating Systems
280
Background: Operating System Structure
Security Features of Ordinary Operating Systems
A Bit of History
Protected Objects
Operating System Tools to Implement Security Functions
281
282
284
286
292
Security in the Design of Operating Systems
308
Simplicity of Design
Layered Design
Kernelized Design
Reference Monitor
Correctness and Completeness
Secure Design Principles
Trusted Systems
Trusted System Functions
The Results of Trusted Systems Research
309
309
312
313
314
315
316
319
325
5.2
5.3
5.4
5.5
Chapter 6
Rootkit
329
Phone Rootkit
Rootkit Evades Detection
Rootkit Operates Unchecked
Sony XCP Rootkit
TDSS Rootkits
Other Rootkits
329
330
334
335
336
338
Conclusion
Exercises
338
339
Networks
341
6.1
Network Concepts
342
Background: Network Transmission Media
Background: Protocol Layers
Background: Addressing and Routing
343
349
350
Part I—War on Networks: Network Security Attacks
6.2
Threats to Network Communications
Interception: Eavesdropping and Wiretapping
Modification, Fabrication: Data Corruption
Interruption: Loss of Service
Port Scanning
Vulnerability Summary
353
354
354
361
366
369
374
Contents
6.3
6.4
6.5
Wireless Network Security
374
WiFi Background
Vulnerabilities in Wireless Networks
Failed Countermeasure: WEP (Wired Equivalent Privacy)
Stronger Protocol Suite: WPA (WiFi Protected Access)
374
381
388
390
Denial of Service
396
Example: Massive Estonian Web Failure
How Service Is Denied
Flooding Attacks in Detail
Network Flooding Caused by Malicious Code
Network Flooding by Resource Exhaustion
Denial of Service by Addressing Failures
Traffic Redirection
DNS Attacks
Exploiting Known Vulnerabilities
Physical Disconnection
396
398
402
403
407
408
413
414
419
420
Distributed Denial-of-Service
421
Scripted Denial-of-Service Attacks
Bots
Botnets
Malicious Autonomous Mobile Agents
Autonomous Mobile Protective Agents
423
426
426
430
430
Part II—Strategic Defenses: Security Countermeasures
6.6
Cryptography in Network Security
6.7
xi
432
432
Network Encryption
Browser Encryption
Onion Routing
IP Security Protocol Suite (IPsec)
Virtual Private Networks
System Architecture
433
437
443
444
447
450
Firewalls
451
What Is a Firewall?
Design of Firewalls
Types of Firewalls
Personal Firewalls
Comparison of Firewall Types
Example Firewall Configurations
Network Address Translation (NAT)
Data Loss Prevention
452
453
454
465
467
467
472
473
xii
Contents
6.8
6.9
6.10
6.11
Chapter 7
Intrusion Detection and Prevention Systems
474
Types of IDSs
Other Intrusion Detection Technology
Intrusion Prevention Systems
Intrusion Response
Goals for Intrusion Detection Systems
IDS Strengths and Limitations
476
481
482
483
486
488
Network Management
489
Management to Ensure Service
Security Information and Event Management (SIEM)
489
492
Conclusion
Exercises
496
496
Databases
501
7.1
Introduction to Databases
502
Concept of a Database
Components of Databases
Advantages of Using Databases
502
502
506
Security Requirements of Databases
507
Integrity of the Database
Element Integrity
Auditability
Access Control
User Authentication
Availability
Integrity/Confidentiality/Availability
507
508
510
511
512
512
512
Reliability and Integrity
513
Protection Features from the Operating System
Two-Phase Update
Redundancy/Internal Consistency
Recovery
Concurrency/Consistency
513
514
516
516
517
Database Disclosure
518
Sensitive Data
Types of Disclosures
Preventing Disclosure: Data Suppression and Modification
Security Versus Precision
518
519
529
530
7.2
7.3
7.4
Contents
7.5
7.6
Chapter 8
Data Mining and Big Data
535
Data Mining
Big Data
536
540
Conclusion
Exercises
549
549
Cloud Computing
551
8.1
Cloud Computing Concepts
551
Service Models
Deployment Models
552
552
Moving to the Cloud
553
Risk Analysis
Cloud Provider Assessment
Switching Cloud Providers
Cloud as a Security Control
553
554
556
557
Cloud Security Tools and Techniques
560
Data Protection in the Cloud
Cloud Application Security
Logging and Incident Response
561
566
567
Cloud Identity Management
568
Security Assertion Markup Language
OAuth
OAuth for Authentication
570
573
577
8.2
8.3
8.4
8.5
8.6
8.7
Chapter 9
xiii
Securing IaaS
579
Public IaaS Versus Private Network Security
580
Conclusion
583
Where the Field Is Headed
To Learn More
584
584
Exercises
584
Privacy
586
9.1
9.2
Privacy Concepts
587
Aspects of Information Privacy
Computer-Related Privacy Problems
587
590
Privacy Principles and Policies
596
Fair Information Practices
U.S. Privacy Laws
596
597
xiv
Contents
9.3
9.4
9.5
9.6
9.7
9.8
9.9
9.10
Controls on U.S. Government Websites
Controls on Commercial Websites
Non-U.S. Privacy Principles
Individual Actions to Protect Privacy
Governments and Privacy
Identity Theft
599
600
603
605
607
609
Authentication and Privacy
610
What Authentication Means
Conclusions
611
615
Data Mining
616
Government Data Mining
Privacy-Preserving Data Mining
617
617
Privacy on the Web
619
Understanding the Online Environment
Payments on the Web
Site and Portal Registrations
Whose Page Is This?
Precautions for Web Surfing
Spyware
Shopping on the Internet
620
621
622
622
624
628
630
Email Security
632
Where Does Email Go, and Who Can Access It?
Interception of Email
Monitoring Email
Anonymous, Pseudonymous, and Disappearing Email
Spoofing and Spamming
Summary
632
633
633
634
635
636
Privacy Impacts of Emerging Technologies
636
Radio Frequency Identification
Electronic Voting
VoIP and Skype
Privacy in the Cloud
Conclusions on Emerging Technologies
636
640
642
642
643
Where the Field Is Headed
Conclusion
Exercises
644
645
645
Contents
Chapter 10
Management and Incidents
647
10.1
Security Planning
647
Organizations and Security Plans
Contents of a Security Plan
Security Planning Team Members
Assuring Commitment to a Security Plan
648
649
656
656
Business Continuity Planning
658
Assess Business Impact
Develop Strategy
Develop the Plan
660
660
661
10.2
10.3
Handling Incidents
662
Incident Response Plans
Incident Response Teams
662
665
Risk Analysis
668
The Nature of Risk
Steps of a Risk Analysis
Arguments For and Against Risk Analysis
669
670
684
Dealing with Disaster
686
Natural Disasters
Power Loss
Human Vandals
Interception of Sensitive Information
Contingency Planning
Physical Security Recap
686
688
689
692
694
698
Conclusion
Exercises
699
700
Legal Issues and Ethics
702
11.1
Protecting Programs and Data
704
Copyrights
Patents
Trade Secrets
Special Cases
704
711
714
716
Information and the Law
717
Information as an Object
Legal Issues Relating to Information
717
720
10.4
10.5
10.6
10.7
Chapter 11
xv
11.2
xvi
Contents
The Legal System
Summary of Protection for Computer Artifacts
721
724
Rights of Employees and Employers
725
Ownership of Products
Employment Contracts
725
727
Redress for Software Failures
728
Selling Correct Software
Reporting Software Flaws
729
731
Computer Crime
733
Why a Separate Category for Computer Crime Is Needed
Why Computer Crime Is Hard to Define
Why Computer Crime Is Hard to Prosecute
Examples of Statutes
International Dimensions
Why Computer Criminals Are Hard to Catch
What Computer Crime Does Not Address
Summary of Legal Issues in Computer Security
734
736
736
737
741
742
743
743
Ethical Issues in Computer Security
744
Differences Between the Law and Ethics
Studying Ethics
Ethical Reasoning
744
746
747
Incident Analysis with Ethics
750
Situation I: Use of Computer Services
Situation II: Privacy Rights
Situation III: Denial of Service
Situation IV: Ownership of Programs
Situation V: Proprietary Resources
Situation VI: Fraud
Situation VII: Accuracy of Information
Situation VIII: Ethics of Hacking or Cracking
Situation IX: True Representation
Conclusion of Computer Ethics
750
752
753
754
756
757
758
759
762
764
Conclusion
Exercises
765
765
Details of Cryptography
768
12.1
Cryptology
769
Cryptanalysis
Cryptographic Primitives
769
773
11.3
11.4
11.5
11.6
11.7
Chapter 12
Contents
12.2
12.3
12.4
12.5
One-Time Pads
Statistical Analysis
What Makes a “Secure” Encryption Algorithm?
775
776
777
Symmetric Encryption Algorithms
779
DES
AES
RC2, RC4, RC5, and RC6
779
789
792
Asymmetric Encryption with RSA
795
The RSA Algorithm
Strength of the RSA Algorithm
795
797
Message Digests
799
Hash Functions
One-Way Hash Functions
Message Digests
799
799
800
Digital Signatures
802
Elliptic Curve Cryptosystems
El Gamal and Digital Signature Algorithms
The NSA–Cryptography Controversy of 2012
802
803
804
Quantum Cryptography
807
Quantum Physics
Photon Reception
Cryptography with Photons
Implementation
807
808
808
811
Conclusion
811
Emerging Topics
813
13.1
The Internet of Things
814
Medical Devices
Mobile Phones
Security in the Internet of Things
815
818
820
12.6
12.7
Chapter 13
xvii
13.2
13.3
Economics
821
Making a Business Case
Quantifying Security
Current Research and Future Directions
821
825
832
Electronic Voting
834
What Is Electronic Voting?
What Is a Fair Election?
What Are the Critical Issues?
835
836
837
xviii
Contents
13.4
13.5
Cyber Warfare
841
What Is Cyber Warfare?
Possible Examples of Cyber Warfare
Critical Issues
842
843
846
Conclusion
850
Bibliography
851
Index
877
Foreword
From the authors: Willis Ware kindly wrote the foreword that we published in both the
third and fourth editions of Security in Computing. In his foreword he covers some of
the early days of computer security, describing concerns that are as valid today as they
were in those earlier days.
Willis chose to sublimate his name and efforts to the greater good of the projects he
worked on. In fact, his thoughtful analysis and persuasive leadership contributed much
to the final outcome of these activities. Few people recognize Willis’s name today;
more people are familiar with the European Union Data Protection Directive that is a
direct descendant of the report [WAR73a] from his committee for the U.S. Department
of Human Services. Willis would have wanted it that way: the emphasis on the ideas
and not on his name.
Unfortunately, Willis died in November 2013 at age 93. We think the lessons he
wrote about in his Foreword are still important to our readers. Thus, with both respect
and gratitude, we republish his words here.
I
n the 1950s and 1960s, the prominent conference gathering places for practitioners
and users of computer technology were the twice yearly Joint Computer Conferences (JCCs)—initially called the Eastern and Western JCCs, but later renamed the
Spring and Fall JCCs and even later, the annual National (AFIPS) Computer Conference. From this milieu, the topic of computer security—later to be called information
system security and currently also referred to as “protection of the national information
infrastructure”—moved from the world of classified defense interests into public view.
A few people—Robert L. Patrick, John P. Haverty, and myself among others—all
then at The RAND Corporation (as its name was then known) had been talking about
the growing dependence of the country and its institutions on computer technology.
It concerned us that the installed systems might not be able to protect themselves and
their data against intrusive and destructive attacks. We decided that it was time to bring
the security aspect of computer systems to the attention of the technology and user
communities.
xix
xx
Foreword
The enabling event was the development within the National Security Agency (NSA)
of a remote-access time-sharing system with a full set of security access controls, running on a Univac 494 machine, and serving terminals and users not only within the
headquarters building at Fort George G. Meade, Maryland, but also worldwide. Fortuitously, I knew details of the system.
Persuading two others from RAND to help—Dr. Harold Peterson and Dr. Rein
Turn—plus Bernard Peters of NSA, I organized a group of papers and presented it
to the SJCC conference management as a ready-made additional paper session to be
chaired by me. [1] The conference accepted the offer, and the session was presented at
the Atlantic City (NJ) Convention Hall in 1967.
Soon thereafter and driven by a request from a defense contractor to include both
defense classified and business applications concurrently in a single mainframe machine
functioning in a remote-access mode, the Department of Defense, acting through the
Advanced Research Projects Agency (ARPA) and later the Defense Science Board
(DSB), organized a committee, which I chaired, to study the issue of security controls
for computer systems. The intent was to produce a document that could be the basis for
formulating a DoD policy position on the matter.
The report of the committee was initially published as a classified document and was
formally presented to the sponsor (the DSB) in January 1970. It was later declassified
and republished (by The RAND Corporation) in October 1979. [2] It was widely circulated and became nicknamed “the Ware report.” The report and a historical introduction
are available on the RAND website. [3]
Subsequently, the United States Air Force (USAF) sponsored another committee
chaired by James P. Anderson. [4] Its report, published in 1972, recommended a 6-year
R&D security program totaling some $8M. [5] The USAF responded and funded several projects, three of which were to design and implement an operating system with
security controls for a specific computer.
Eventually these activities led to the “Criteria and Evaluation” program sponsored by
the NSA. It culminated in the “Orange Book” [6] in 1983 and subsequently its supporting array of documents, which were nicknamed “the rainbow se…
Purchase answer to see full
attachment