[...]... this book is on understanding security mechanisms—the nuts and bolts of information security In a few places, the “people problem” is discussed, but it would be possible to write several volumes on this topic For more information on the role that humans play in information security, perhaps the best source is Ross Anderson’s excellent book [14], which is filled with case studies of security failures, most... lists and capabilities We’ll look at the pluses and minuses of each of these authorization methods Authorization leads naturally to a few relatively specialized topics We’ll discuss multilevel security (and the related topic of multilateral security) For example, the military has TOP SECRET and SECRET information Some users can see both types of information, while other users can only see the SECRET information. .. if your goal is to design and build secure systems, you’d better understand something about the underlying technology Finally, some security books focus on the human factors in security While it is certainly critical to understand the role that human nature plays in security, I would argue that a security engineer must have a solid understanding of the inherent strengths and weaknesses of the technology... Alice’s information security concerns? If Bob is Alice’s customer, what are his information security concerns? Are Bob’s concerns the same as Alice’s? If we look at AOB from Trudy’s perspective, what security vulnerabilities might we see? 1 Not to be confused with “Alice’s Restaurant” [100] Information Security: Principles and Practice, by Mark Stamp Copyright © 2006 John Wiley & Sons, Inc 1 2 INTRODUCTION... should be exciting and fun, it’s information security Security is happening now, it’s in the news; it’s clearly alive and kicking Some security textbooks offer a large dollop of dry useless theory Reading one of these books is about as exciting as reading a calculus textbook Other security books offer nothing but a collection of apparently unrelated facts, giving the impression that security is not really... Software Flaws and Malware 12 Insecurity in Software 4 4 4 13 OS and Security Total 3 40 Comments Cover all Sections 2.3.6 and 2.3.8 are optional Section 3.3.5 is optional Omit 4.5; section 4.8 is optional Cover 5.1 through 5.6 and 5.7.2 The remainder of 5.7 is optional Omit entire chapter Cover all Cover 8.1 and 8.2 Sections 8.3 through 8.9 are optional (though 8.7 is recommended) Sections 9.4 and 9.5 are... develop and would be willing to share Finally, don’t hesitate to provide any suggestions you might have for future editions of this book ftp://ftp.wiley.com/public/sci_tech_med /information_ security/ ABOUT THE AUTHOR I’ve got more than a dozen years of experience in information security, including extensive work in industry and government My work experience includes seven years at the National Security. .. fundamental security tool Hash functions are used in many different contexts in information security Some of these uses are quite surprising and not always intuitive We’ll discuss applications of hash functions to online bidding and spam reduction We’ll also briefly consider a few special topics that are related to cryptography For example, we’ll discuss information hiding, where the goal is for Alice and Bob... design and develop a digital rights management security product This real-world work was sandwiched between academic jobs While in academia, my research interests have included a wide variety of security topics With my return to academia in 2002, I quickly realized that none of the available security textbooks had much connection with the real world I felt that I could write an information security. .. tell me that the information they learned in my course has proved useful in the real world And I certainly wish that a book like this had been available when I worked in industry, since my colleagues and I would have benefitted greatly from it I do have a life outside of information security My family includes my lovely wife, Melody, and two great sons, Austin, whose initials are AES, and Miles, whose . pagei—#1 INFORMATION SECURITY TEAM LinG “frontmatter” — 2005/9/21 — page ii — #2 “frontmatter” — 2005/9/21 — page iii — #3 INFORMATION SECURITY PRINCIPLES AND PRACTICE Mark. present the topic in a lively and interesting way. If any computing subject should be exciting and fun, it’s information security. Security is happening now,