Computer Security Basics Other computer security resources from O’Reilly Related titles Network Security Tools Network Security with Internet Forensics OpenSSL Digital Identity Practical Unix and Internet Security Security Warrior SSH, The Secure Shell: The Security and Usability Definitive Guide Linux Security Cookbook™ Network Security Assessment Windows Server 2003 Secu- rity Cookbook™ Apache Security Security Books security.oreilly.comisacompletecatalogofO’Reilly’sbookson Resource Center security and related technologies, including sample chapters and code examples. oreillynet.comistheessentialportalfordevelopersinterestedin openandemergingtechnologies,includingnewplatforms,pro- gramming languages, and operating systems. Conferences O’Reillybringsdiverseinnovatorstogethertonurturetheideas thatsparkrevolutionaryindustries.Wespecializeindocument- ing the latest tools and systems, translating the innovator’s knowledgeintousefulskillsforthoseinthetrenches.Visitcon- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searchesacrossmorethan1,000books.Subscriberscanzeroin on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. SECOND EDITION Computer Security Basics Rick Lehtinen, Deborah Russell, and G.T. Gangemi Sr. Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Computer Security Basics, Second Edition by Rick Lehtinen, Deborah Russell, and G.T. Gangemi Sr. Copyright © 2006, 1991 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 [email protected]. Editor: Tatiana Apandi Indexer: Julie Hawks Developmental Editor: Mary Dageforde Cover Designer: Edie Freedman Production Editor: Darren Kelly Interior Designer: David Futato Copyeditor: Mary Anne Weeks Mayo Illustrators: RobertRomanoandJessamynRead Proofreader: Darren Kelly Printing History: July 1991: First Edition. June 2006: Second Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’ReillyMedia,Inc.ComputerSecurityBasics,theimageofakey,andrelatedtradedressaretrademarks of O’Reilly Media, Inc. Figure7-1isreproducedbypermissionoftheSmithsonianInstitution.Figure10-14usedbypermission of Berkeley Varitronics Systems, Inc. Manyofthedesignationsusedbymanufacturersandsellerstodistinguishtheirproductsareclaimedas trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 978-0-596-00669-3 [M] Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Part I. Security for Today 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The New Insecurity 3 What Is Computer Security? 9 Threats to Security 12 Why Buy Security? 18 What’s a User to Do? 21 2. Some Security History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Information and Its Controls 22 Computer Security: Then and Now 25 Early Computer Security Efforts 27 Building Toward Standardization 32 Computer Security Mandates and Legislation 37 Part II. Computer Security 3. Computer System Security and Access Controls . . . . . . . . . . . . . . . . . . . . . . . . 49 What Makes a System Secure? 49 System Access: Logging into Your System 50 v 4. Viruses and Other Wildlife . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Financial Effects of Malicious Programs 79 Viruses and Public Health 80 Viruses, Worms, and Trojans (Oh, My!) 80 Who Writes Viruses? 90 Remedies 92 The Virus Hype 93 An Ounce of Prevention 94 5. Establishing and Maintaining a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . 96 Administrative Security 97 Overall Planning and Administration 98 Day-to-Day Administration 103 Separation of Duties 109 6. Web Attacks and Internet Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 About the Internet 112 What Are the Network Protocols? 116 The Fragile Web 124 Part III. Communications Security 7. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Some History 138 What Is Encryption? 141 The Data Encryption Standard 153 Other Cryptographic Algorithms 163 Message Authentication 169 Government Cryptographic Programs 170 Cryptographic Export Restrictions 171 8. Communications and Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 What Makes Communication Secure? 174 Modems 177 Networks 179 Network Security 187 vi | Table of Contents Part IV. Other Types of Security 9. Physical Security and Biometrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Physical Security 204 Locks and Keys: Old and New 207 Biometrics 212 Gentle Reminder 218 10. Wireless Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 How We Got Here 220 Today’s Wireless Infrastructure 221 How Wireless Works 225 Playing the Fields 228 What Is This dB Stuff? 231 Why Does All This Matter? 232 Encouraging Diversity 233 Physical Layer Wireless Attacks 233 Part V. Appendixes A. OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 B. TEMPEST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 C. The Orange Book, FIPS PUBS, and the Common Criteria. . . . . . . . . . . . . . . . 258 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Table of Contents | vii