Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Andy Oram, John Viega
Beautiful Security
Dedication
Preface
Why Security Is Beautiful
Audience for This Book
Donation
Organization of the Material
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
1. Psychological Security Traps
Learned Helplessness and Naïveté
A Real-Life Example: How Microsoft Enabled L0phtCrack
Password and Authentication Security Could Have Been Better from the Start
Naïveté As the Client Counterpart to Learned Helplessness
Confirmation Traps
An Introduction to the Concept
The Analyst Confirmation Trap
Stale Threat Modeling
Rationalizing Away Capabilities
Functional Fixation
Vulnerability in Place of Security
Sunk Costs Versus Future Profits: An ISP Example
Sunk Costs Versus Future Profits: An Energy Example
Summary
2. Wireless Networking: Fertile Ground for Social Engineering
Easy Money
Setting Up the Attack
A Cornucopia of Personal Data
A Fundamental Flaw in Web Security: Not Trusting the Trust System
Establishing Wireless Trust
Adapting a Proven Solution
Wireless Gone Wild
Wireless As a Side Channel
What About the Wireless Access Point Itself?
Still, Wireless Is the Future
4. The Underground Economy of Security Breaches
The Makeup and Infrastructure of the Cyber Underground
The Underground Communication Infrastructure
The Attack Infrastructure
The Payoff
The Data Exchange
Information Sources
Attack Vectors
Exploiting website vulnerabilities
Malware
Phishing, facilitated by social-engineering spam
The Money-Laundering Game
How Can We Combat This Growing Underground Economy?
Devalue Data
Separate Permission from Information
Institute an Incentive/Reward Structure
Establish a Social Metric and Reputation System for Data Responsibility
Summary
5. Beautiful Trade: Rethinking E-Commerce Security
Deconstructing Commerce
Analyzing the Security Context
Weak Amelioration Attempts
3-D Secure
3-D Secure transactions
Evaluation of 3-D Secure
Secure Electronic Transaction
SET transactions
Evaluation of SET
Single-Use and Multiple-Use Virtual Cards
How virtual cards work
Broken Incentives
Consumer
Merchant and service provider
Acquiring and issuing banks
Card association
He who controls the spice
E-Commerce Redone: A New Security Model
Requirement 1: The Consumer Must Be Authenticated
Requirement 2: The Merchant Must Be Authenticated
Requirement 3: The Transaction Must Be Authorized
Requirement 4: Authentication Data Should Not Be Shared Outside of Authenticator and Authenticated
Requirement 5: The Process Must Not Rely Solely on Shared Secrets
Requirement 6: Authentication Should Be Portable (Not Tied to Hardware or Protocols)
Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
The New Model
6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West
Attacks on Users
Exploit-Laden Banner Ads
Malvertisements
Deceptive Advertisements
Advertisers As Victims
False Impressions
Escaping Fraud-Prone CPM Advertising
Gaming CPC advertising
Inflating CPA costs
Why Don’t Advertisers Fight Harder?
Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
Creating Accountability in Online Advertising
7. The Evolution of PGP’s Web of Trust
PGP and OpenPGP
Trust, Validity, and Authority
Direct Trust
Hierarchical Trust
Cumulative Trust
The Basic PGP Web of Trust
Rough Edges in the Original Web of Trust
Supervalidity
The social implications of signing keys
PGP and Crypto History
Early PGP
Patent and Export Problems
The Crypto Wars
From PGP 3 to OpenPGP
Enhancements to the Original Web of Trust Model
Revocation
The basic model for revocation
Key revocation and expiration
Designated revokers
Freshness
Reasons for revocation
Scaling Issues
Extended introducers
Authoritative keys
Signature Bloat and Harassment
Exportable signatures
Key-editing policies
In-Certificate Preferences
The PGP Global Directory
Variable Trust Ratings
Interesting Areas for Further Research
Supervalidity
Social Networks and Traffic Analysis
References
8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits
Enter Honeyclients
Introducing the World’s First Open Source Honeyclient
Second-Generation Honeyclients
Honeyclient Operational Results
Transparent Activity from Windows XP
Storing and Correlating Honeyclient Data
Analysis of Exploits
Limitations of the Current Honeyclient Implementation
Related Work
The Future of Honeyclients
9. Tomorrow’s Security Cogs and Levers
Cloud Computing and Web Services: The Single Machine Is Here
Builders Versus Breakers
Clouds and Web Services to the Rescue
A New Dawn
Connecting People, Process, and Technology: The Potential for Business Process Management
Diffuse Security in a Diffuse World
BPM As a Guide to Multisite Security
Social Networking: When People Start Communicating, Big Things Change
The State of the Art and the Potential in Social Networking
Social Networking for the Security Industry
Security in Numbers
Information Security Economics: Supercrunching and the New Rules of the Grid
Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
Democratization of Tools for Production
Democratization of Channels for Distribution
Connection of Supply and Demand
Conclusion
Acknowledgments
10. Security by Design
Metrics with No Meaning
Time to Market or Time to Quality?
How a Disciplined System Development Lifecycle Can Help
Conclusion: Beautiful Security Is an Attribute of Beautiful Systems
11. Forcing Firms to Focus: Is Secure Software in Your Future?
Implicit Requirements Can Still Be Powerful
How One Firm Came to Demand Secure Software
How I Put a Security Plan in Place
Choosing a focus and winning over management
Setting up formal quality processes for security
Developer training
When the security process really took hold
Fixing the Problems
Extending Our Security Initiative to Outsourcing
Enforcing Security in Off-the-Shelf Software
Analysis: How to Make the World’s Software More Secure
The Best Software Developers Create Code with Vulnerabilities
Microsoft Leading the Way
Software Vendors Give Us What We Want but Not What We Need
12. Oh No, Here Come the Infosecurity Lawyers!
Culture
Balance
The Digital Signature Guidelines
The California Data Privacy Law
Security’s Return on Investment
Communication
How Geeks Need Lawyers
Success Driven from the Top, Carried Out Through Collaboration
A Data Breach Tiger Team
Doing the Right Thing
13. Beautiful Log Handling
Logs in Security Laws and Standards
Focus on Logs
When Logs Are Invaluable
Challenges with Logs
Case Study: Behind a Trashed Server
Architecture and Context for the Incident
The Observed Event
The Investigation Starts
Bringing Data Back from the Dead
Summary
Future Logging
A Proliferation of Sources
Log Analysis and Management Tools of the Future
Conclusions
14. Incident Detection: Finding the Other 68%
A Common Starting Point
Improving Detection with Context
Improving Coverage with Traffic Analysis
Correlating with Watch Lists
Improving Perspective with Host Logging
Building a Resilient Detection Model
Summary
15. Doing Real Work Without Real Data
How Data Translucency Works
A Real-Life Example
Personal Data Stored As a Convenience
Trade-offs
Going Deeper
References
16. Casting Spells: PC Security Theater
Growing Attacks, Defenses in Retreat
On the Conveyor Belt of the Internet
Rewards for Misbehavior
A Mob Response
The Illusion Revealed
Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
The evolution of the blacklist method
The whitelist alternative
Host-based Intrusion Prevention Systems
Applying artificial intelligence
Sandboxing and Virtualization: The New Silver Bullets
Virtual machines, host and guest
Security-specific virtualization
Security of saved files in Returnil
Better Practices for Desktop Security
Conclusion
A. Contributors
Index
About the Authors
Colophon
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Beautiful Security
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset