Table of Contents

PREFACE

How to Read This Book
Acknowledgments

1. INTRODUCTION

Systems
Systems and Security

PART 1 - THE LANDSCAPE

2. DIGITAL THREATS

The Unchanging Nature of Attacks
The Changing Nature of Attacks
Proaction vs. Reaction

3. ATTACKS

Criminal Attacks
Privacy Violations
Publicity Attacks
Legal Attacks

4. ADVERSARIES

Hackers
Lone Criminals
Malicious Insider
Industrial Espionage
Press
Organized Crime
Police
Terrorists
National Intelligence Organizations
Infowarriors

5. SECURITY NEEDS

Privacy
Multilevel Security
Anonymity
Privacy and the Government
Authentication
Integrity
Audit
Electronic Currency
Proactive Solutions

PART 2 - TECHNOLOGIES

6. CRYPTOGRAPHY

Symmetric Encryption
Types of Cryptographic Attacks
Recognizing Plaintext
Message Authentication Codes
One-Way Hash Functions
Public-Key Encryption
Digital Signature Schemes
Random Number Generators
Key Length

7. CRYPTOGRAPHY IN CONTEXT

Key Length and Security
One-Time Pads
Protocols
Internet Cryptographic Protocols
Types of Protocol Attacks
Choosing an Algorithm or Protocol

8. COMPUTER SECURITY

Definitions
Access Control
Security Models
Security Kernels and Trusted Computing Bases
Covert Channels
Evaluation Criteria
Future of Secure Computers

9. IDENTIFICATION AND AUTHENTICATION

Passwords
Biometrics
Access Tokens
Authentication Protocols
Single Sign-On

10. NETWORKED-COMPUTER SECURITY

Malicious Software
Modular Code
Mobile Code
Web Security

11. NETWORK SECURITY

How Networks Work
IP Security
DNS Security
Denial-of-Service Attacks
Distributed Denial-of-Service Attacks
The Future of Network Security

12. NETWORK DEFENSES

Firewalls
Demilitarized Zones (DMZs)
Virtual Private Networks
Intrusion Detection Systems
Honey Pots and Burglar Alarms
Vulnerability Scanners
E-Mail Security
Encryption and Network Defenses

13. SOFTWARE RELIABILITY

Faulty Code
Attacks on Faulty Code
Buffer Overflows
The Ubiquity of Faulty Code

14. SECURE HARDWARE

Tamper Resistance
Side-Channel Attacks
Attacks against Smart Cards

15. CERTIFICATES AND CREDENTIALS

Trusted Third Parties
Credentials
Certificates
Problems with Traditional PKIs
PKIs on the Internet

16. SECURITY TRICKS

Government Access to Keys
Database Security
Steganography
Subliminal Channels
Digital Watermarking
Copy Protection
Erasing Digital Information

17. THE HUMAN FACTOR

Risk
Exception Handling
Human-Computer Interface
Human-Computer Transference
Malicious Insiders
Social Engineering

PART 3 - STRATEGIES

18. VULNERABILITIES AND THE VULNERABILITY LANDSCAPE

Attack Methodology
Countermeasures
The Vulnerability Landscape
Rationally Applying Countermeasures

19. THREAT MODELING AND RISK ASSESSMENT

Fair Elections
Secure Telephones
Secure E-Mail
Stored-Value Smart Cards
Risk Assessment
The Point of Threat Modeling
Getting the Threat Wrong

20. SECURITY POLICIES AND COUNTERMEASURES

Security Policies
Trusted Client Software
Automatic Teller Machines
Computerized Lottery Terminals
Smart Cards vs. Memory Cards
Rational Countermeasures

21. ATTACK TREES

Basic Attack Trees
A Pretty Good Privacy Attack Tree
Creating and Using Attack Trees

22. PRODUCT TESTING AND VERIFICATION

The Failure of Testing
Discovering Security Flaws After the Fact
Open Standards and Open Source Solutions
Reverse Engineering and the Law
Cracking and Hacking Contests
Evaluating and Choosing Security Products

23. THE FUTURE OF PRODUCTS

Software Complexity and Security
Technologies to Watch
Will We Ever Learn?

24. SECURITY PROCESSES

Processes
Detection and Response
Counterattack
Manage Risk
Outsourcing Security Processes

25. CONCLUSION

AFTERWORD

up to Secrets and Lies

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..