An Information Security Handbook

1. Introduction.- 1.1 Why a Book about Information Security?.- 1.2 Some Conventions.- 1.3 Risks.- 1.4 Information Sensitivity.- 1.5 Information Importance.- 1.6 Countermeasures.- 1.7 Information Warfare.- 1.8 Management.- 1.9 Summary.- 2. Technology and Security.- 2.1 Privilege and Machine Modes.- 2.2 System Configuration.- 2.3 Physical Aspects of Discs and Tapes.- 2.4 Files and Access Control.- 2.5 RAID Storage.- 2.6 Summary.- 3. Physical Security.- 3.1 The Security Domains.- 3.2 Security Aspects of Layout.- 3.3 Summary.- 4. Personnel Security.- 4.1 Assessing Personnel Trustworthiness.- 4.2 Example and Leadership.- 4.3 Awareness.- 4.4 IT Staff.- 4.5 New Recruits and Leavers.- 4.6 General.- 4.6 Summary.- 5. Communications Security.- 5.1 Encryption and Cryptanalysis.- 5.2 Authentication Dialogues.- 5.3 The Kerberos Authentication Dialogue.- 5.4 Hacking.- 5.5 Unix and the TCP/IP Family of Protocols.- 5.6 Firewalls and Gateways.- 6. Unix Security.- 6.1 The Security Problems of Unix.- 6.2 Unix File Permissions.- 6.3 Executing as the Superuser.- 6.4 Password Security.- 6.5 Improving Unix Network Security.- 7. Internet Security.- 7.1 External Hazards.- 7.2 ISP Services.- 7.3 After an Attack.- 7.4 Summary.- 8. Radiation Security.- 8.1 Equipment Layout.- 8.2 Maintenance.- 8.3 Summary.- 9. Procedural Security.- 9.1 System Integrity.- 9.2 Magnetic Media.- 9.3 Denial of System Benefits to a Competitor.- 9.4 Disposal of Documents.- 9.5 Weeding and Downgrading.- 9.6 When It Starts to Go Wrong.- 9.7 Summary.- 10. Software Security.- 10.1 Secure Computer Systems.- 10.2 Software Evaluation.- 10.3 Software Security Models.- 10.4 Other Software Security Issues.- 11. Some Notes on Static Analysis.- 11.1 Introduction.- 11.2 Control Flow Analysis.- 11.3 Data Flow Analysis.- 11.4 InformationFlow Analysis.- 11.5 Semantic Analysis.- 11.6 The Use of Static Analysis.- 11.7 Summary.- 12. Computer Viruses.- 12.1 Introduction.- 12.2 Viruses.- 12.3 Virus Examples.- 12.4 Dealing with Viruses.- 12.5 Java & Active-X.- 12.6 The “Millennium Bug”.- 12.7 Summary.- 13. The UK Data Protection Acts.- 13.1 Definitions.- 13.2 The Data Protection Principles.- 13.3 Summary.- 14. System Administration and Security.- 14.1 The Procurement of Secure Information Systems.- 14.2 System and Data Backups.- 14.3 Resource Tracking and Management.- 14.4 System Testing and Probing.- 14.5 Configuration Management.- 14.6 Database Maintenance.- 14.7 User Account Management.- 14.8 Audit Trail Management.- 14.9 Summary.- 15. The Management of Security.- 15.1 The Security Management Problem.- 15.2 A Security Management Methodology.- 15.3 System Security Policies.- 15.4 Summary.- 16. Conclusions.- 16.1 A Definition of Information System Security.- 16.2 The Security Problems of an Information System.- 16.3 Tailpiece.- A. Unix Security Resources.- A.1 Configuration Checkers.- A.2 Network Activity Monitors.- A.3 Intrusion Checkers.- A.4 Change Detectors.- A.5 Password Checkers.- A.6 Firewall Packages.- A.7 Security Documentation.- A.8 Other Secure Software.- B. DoD Computer System Evaluation Criteria.- C. IT Security Evaluation Criteria (ITSEC).- D. An Example System Security Policy.- E. System Threats and Countermeasures.- E.1 Introduction.- E.2 Threats to the Level of Service.- E.2.1 Power Supplies.- E.2.2 Hardware Faults.- E.2.3 Software Crashes.- E.2.4 Operator Errors.- E.2.5 Computer Viruses.- E.2.6 Environmental Disasters.- E.3 Threats to the Information Base.- E.4 Threats Leading to Information Leakage.- E.5 Choice of Countermeasures.- E.6 Summary.- F. Example List of SecurityCountermeasures.- F.1 Access Control.- F.1.1 Communications.- F.1.2 Covert Channel Control.- F.1.3 Discretionary Access Control.- F.1.4 Mandatory Access Control.- F.1.5 Physical Access Control.- F.2 Accountability.- F.2.1 Transactions.- F.2.2 Configuration.- F.3 Accuracy.- F.3.1 Communications.- F.3.2 Storage.- F.4 Availability.- F.4.1 Communications.- F.4.2 Logical Denial.- F.4.3 Personnel.- F.4.4 Physical Denial.- F.4.5 Environmental Damage.- F.5 Data Exchange.- F.5.1 Communications Security.- F.5.2 Covert Channel.- F.5.3 Radiation Security.- F.5.4 Transmission Security.- F.5.5 Traffic Flow Security.- F.6 Authentication.- F.7 Audit.- F.8 Personnel.- G. Glossary of Information Security Terms.- H. References & Bibliography.