Beautiful Security. Leading Security Experts Explain How They Think

Spis treści książki

• Beautiful Security
  • SPECIAL OFFER: Upgrade this ebook with OReilly
  • Preface
    • Why Security Is Beautiful
    • Audience for This Book
    • Donation
    • Organization of the Material
    • Conventions Used in This Book
    • Using Code Examples
    • Safari Books Online
    • How to Contact Us
  • 1. Psychological Security Traps
    • Learned Helplessness and Naveté
      • A Real-Life Example: How Microsoft Enabled L0phtCrack
      • Password and Authentication Security Could Have Been Better from the Start
      • Naveté As the Client Counterpart to Learned Helplessness
    • Confirmation Traps
      • An Introduction to the Concept
      • The Analyst Confirmation Trap
      • Stale Threat Modeling
      • Rationalizing Away Capabilities
    • Functional Fixation
      • Vulnerability in Place of Security
      • Sunk Costs Versus Future Profits: An ISP Example
      • Sunk Costs Versus Future Profits: An Energy Example
    • Summary
  • 2. Wireless Networking: Fertile Ground for Social Engineering
    • Easy Money
      • Setting Up the Attack
      • A Cornucopia of Personal Data
      • A Fundamental Flaw in Web Security: Not Trusting the Trust System
      • Establishing Wireless Trust
      • Adapting a Proven Solution
    • Wireless Gone Wild
      • Wireless As a Side Channel
      • What About the Wireless Access Point Itself?
    • Still, Wireless Is the Future
  • 3. Beautiful Security Metrics
    • Security Metrics by Analogy: Health
      • Unreasonable Expectations
      • Data Transparency
      • Reasonable Metrics
    • Security Metrics by Example
      • Barings Bank: Insider Breach
        • The players
        • How it happened
        • What went wrong
        • Barings: What if...
        • Barings: Some security metrics
      • TJX: Outsider Breach
        • The players
        • How it happened
        • What went wrong
        • TJX: What if...
        • TJX: Some security metrics
          • Global metrics
          • Local metrics
      • More Public Data Sources
    • Summary
  • 4. The Underground Economy of Security Breaches
    • The Makeup and Infrastructure of the Cyber Underground
      • The Underground Communication Infrastructure
      • The Attack Infrastructure
    • The Payoff
      • The Data Exchange
      • Information Sources
      • Attack Vectors
        • Exploiting website vulnerabilities
        • Malware
        • Phishing, facilitated by social-engineering spam
      • The Money-Laundering Game
    • How Can We Combat This Growing Underground Economy?
      • Devalue Data
      • Separate Permission from Information
      • Institute an Incentive/Reward Structure
      • Establish a Social Metric and Reputation System for Data Responsibility
    • Summary
  • 5. Beautiful Trade: Rethinking E-Commerce Security
    • Deconstructing Commerce
      • Analyzing the Security Context
    • Weak Amelioration Attempts
      • 3-D Secure
        • 3-D Secure transactions
        • Evaluation of 3-D Secure
      • Secure Electronic Transaction
        • SET transactions
        • Evaluation of SET
      • Single-Use and Multiple-Use Virtual Cards
        • How virtual cards work
      • Broken Incentives
        • Consumer
        • Merchant and service provider
        • Acquiring and issuing banks
        • Card association
        • He who controls the spice
    • E-Commerce Redone: A New Security Model
      • Requirement 1: The Consumer Must Be Authenticated
      • Requirement 2: The Merchant Must Be Authenticated
      • Requirement 3: The Transaction Must Be Authorized
      • Requirement 4: Authentication Data Should Not Be Shared Outside of Authenticator and Authenticated
      • Requirement 5: The Process Must Not Rely Solely on Shared Secrets
      • Requirement 6: Authentication Should Be Portable (Not Tied to Hardware or Protocols)
      • Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
    • The New Model
  • 6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West
    • Attacks on Users
      • Exploit-Laden Banner Ads
      • Malvertisements
      • Deceptive Advertisements
    • Advertisers As Victims
      • False Impressions
      • Escaping Fraud-Prone CPM Advertising
        • Gaming CPC advertising
        • Inflating CPA costs
      • Why Dont Advertisers Fight Harder?
      • Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
    • Creating Accountability in Online Advertising
  • 7. The Evolution of PGPs Web of Trust
    • PGP and OpenPGP
    • Trust, Validity, and Authority
      • Direct Trust
      • Hierarchical Trust
      • Cumulative Trust
      • The Basic PGP Web of Trust
      • Rough Edges in the Original Web of Trust
        • Supervalidity
        • The social implications of signing keys
    • PGP and Crypto History
      • Early PGP
      • Patent and Export Problems
      • The Crypto Wars
      • From PGP 3 to OpenPGP
    • Enhancements to the Original Web of Trust Model
      • Revocation
        • The basic model for revocation
        • Key revocation and expiration
        • Designated revokers
        • Freshness
        • Reasons for revocation
      • Scaling Issues
        • Extended introducers
        • Authoritative keys
      • Signature Bloat and Harassment
        • Exportable signatures
        • Key-editing policies
      • In-Certificate Preferences
      • The PGP Global Directory
      • Variable Trust Ratings
    • Interesting Areas for Further Research
      • Supervalidity
      • Social Networks and Traffic Analysis
    • References
  • 8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits
    • Enter Honeyclients
    • Introducing the Worlds First Open Source Honeyclient
    • Second-Generation Honeyclients
    • Honeyclient Operational Results
      • Transparent Activity from Windows XP
      • Storing and Correlating Honeyclient Data
    • Analysis of Exploits
    • Limitations of the Current Honeyclient Implementation
    • Related Work
    • The Future of Honeyclients
  • 9. Tomorrows Security Cogs and Levers
    • Cloud Computing and Web Services: The Single Machine Is Here
      • Builders Versus Breakers
      • Clouds and Web Services to the Rescue
      • A New Dawn
    • Connecting People, Process, and Technology: The Potential for Business Process Management
      • Diffuse Security in a Diffuse World
      • BPM As a Guide to Multisite Security
    • Social Networking: When People Start Communicating, Big Things Change
      • The State of the Art and the Potential in Social Networking
      • Social Networking for the Security Industry
      • Security in Numbers
    • Information Security Economics: Supercrunching and the New Rules of the Grid
    • Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
      • Democratization of Tools for Production
      • Democratization of Channels for Distribution
      • Connection of Supply and Demand
    • Conclusion
    • Acknowledgments
  • 10. Security by Design
    • Metrics with No Meaning
    • Time to Market or Time to Quality?
    • How a Disciplined System Development Lifecycle Can Help
    • Conclusion: Beautiful Security Is an Attribute of Beautiful Systems
  • 11. Forcing Firms to Focus: Is Secure Software in Your Future?
    • Implicit Requirements Can Still Be Powerful
    • How One Firm Came to Demand Secure Software
      • How I Put a Security Plan in Place
        • Choosing a focus and winning over management
        • Setting up formal quality processes for security
        • Developer training
        • When the security process really took hold
      • Fixing the Problems
      • Extending Our Security Initiative to Outsourcing
    • Enforcing Security in Off-the-Shelf Software
    • Analysis: How to Make the Worlds Software More Secure
      • The Best Software Developers Create Code with Vulnerabilities
      • Microsoft Leading the Way
      • Software Vendors Give Us What We Want but Not What We Need
  • 12. Oh No, Here Come the Infosecurity Lawyers!
    • Culture
    • Balance
      • The Digital Signature Guidelines
      • The California Data Privacy Law
      • Securitys Return on Investment
    • Communication
      • How Geeks Need Lawyers
      • Success Driven from the Top, Carried Out Through Collaboration
      • A Data Breach Tiger Team
    • Doing the Right Thing
  • 13. Beautiful Log Handling
    • Logs in Security Laws and Standards
    • Focus on Logs
    • When Logs Are Invaluable
    • Challenges with Logs
    • Case Study: Behind a Trashed Server
      • Architecture and Context for the Incident
      • The Observed Event
      • The Investigation Starts
      • Bringing Data Back from the Dead
      • Summary
    • Future Logging
      • A Proliferation of Sources
      • Log Analysis and Management Tools of the Future
    • Conclusions
  • 14. Incident Detection: Finding the Other 68%
    • A Common Starting Point
    • Improving Detection with Context
      • Improving Coverage with Traffic Analysis
      • Correlating with Watch Lists
    • Improving Perspective with Host Logging
      • Building a Resilient Detection Model
    • Summary
  • 15. Doing Real Work Without Real Data
    • How Data Translucency Works
    • A Real-Life Example
    • Personal Data Stored As a Convenience
    • Trade-offs
    • Going Deeper
    • References
  • 16. Casting Spells: PC Security Theater
    • Growing Attacks, Defenses in Retreat
      • On the Conveyor Belt of the Internet
      • Rewards for Misbehavior
      • A Mob Response
    • The Illusion Revealed
      • Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
        • The evolution of the blacklist method
        • The whitelist alternative
        • Host-based Intrusion Prevention Systems
        • Applying artificial intelligence
      • Sandboxing and Virtualization: The New Silver Bullets
        • Virtual machines, host and guest
        • Security-specific virtualization
        • Security of saved files in Returnil
    • Better Practices for Desktop Security
    • Conclusion
  • A. Contributors
  • Index
  • About the Authors
  • Colophon
  • SPECIAL OFFER: Upgrade this ebook with OReilly

pokaż cały spis treści

ukryj recenzje