Additional Reading Materials

Here is an incomplete collection of reading materials associated with the textbook. Visit the Elementary Infosec site for a complete set of reading and study materials.

Locating copies of on-line articles and papers

Some links lead to on-line articles published by professional societies like the ACM (Association for Computing Machinery) or IEEE (Institute of Electrical and Electronic Engineers). Serious computing experts often join one or both of these, and sign up for electronic library subscriptions. Many college and university libraries may also provide free access to these for students and faculty.

1: Security From the Ground Up

Study Acronyms and Terms

Visit the Quizlet web site to find study aids for the chapter's acronyms and terms by following the links below. Many students prefer to study the acronyms first.

Security Overview - Recent Events

The following blogs provide readable reports and commentary on information security.

Bruce Schneier (of Schneier on Security) coined the term security theater in his book Beyond Fear (New York: Copernicus Books, 2003).

Continuous Improvement

ASQ (the American Society for Quality, which has now gone international) provides tutorials on basic quality concepts including continuous improvement.

In Japan, the term kaizen embodies the continuous improvement process.

Systems Engineering

During World War II, military enterprises poured vast resources into various techincal projects, notably radar, codebreaking, and the atomic bomb. Those successes encouraged the peacetime military to pursue other large scale technical projects. A typical project would start with a very large budget and a vague completion date a few years in the future. But in practice, many of these projects vastly exceeded both the budget and the predicted time table.

A handful of projects, notably the Polaris Missile project, achieved success while adhering closely to their initial budget and schedule estimates. Pressure on defense budgets led the US DOD to identify features of the successful projects so they might be applied to future work. This was the genesis of systems engineering. The DOD's Defense Aquisition University has produced an introduction to systems engineering (PDF format) in the defense community.

The International Council on Systems Engineering (INCOSE) provides a more general view of systems engineering. NASA also provides on-line training materials on their Space Systems Engineering site.

Basic Principles of Information Security

Chapter 1 introduces the first three of eight basic principles of information security.

Continuous Improvement
Least Privilege
Defense in Depth

Different authorities present different lists of principles. International standards bodies, including NIST in the US, tend to produce very general lists of principles, reflecting notions such as "be safe," "keep records," and other generalizations (for example, see NIST's SP 800-14: "Generally Accepted Principles and Practices for Securing Information Technology Systems"). These principles represent basic truths about security, but few are stated in a way that helps one make security decisions.

Saltzer and Schroeder produced a now-classic list based on experience with the Multics time sharing system in the 1970s: "The Protection of Information in Computer Systems," Proceedings of the IEEE 63, 9 (September, 1975). Some of these principles reflect features of the Multics system while others reflect some well-known shortcomings with most systems of that time. Copies exist online at Saltzer's own web site and at the University of Virginia.

There is also a Cryptosmith blog post that compares the textbook's list of principles with those in Saltzer and Schroeder.

Microsoft's Technet archives also contain a well-written summary of principles titled "10 Immutable Laws of Security," followed with "10 Immutable Laws of Security Administration."

High-Level Security Analysis

A high-level security analysis provides a brief summary of a security situation at a given point of time. The next section provides a checklist for writing a high-level security analysis.

Risk Assessment

The risk assessment processes noted in the textbook are all avaliable online:

ASIS General Security Risk Assessment Guideline (PDF offered for sale)
NIST “Risk Management Guide for Information Technology Systems" SP 800-30 (free PDF)
OCTAVE risk assessment method

Ethical Issues

CERT has published the policy it follows when disclosing vulnerabilities. Changes to Microsoft's disclosure policy yield news coverage. Microsoft publishes its policy in MS Word "docx" format.

Several news sources including the BBC reported on Michael Lynn's canceled talk on Cisco router vulnerabilities at the 2005 Black Hat conference.

Aircraft Hijacking

The fundamental reference for everything related to the events of September 11, 2001, is the Final Report of the National Commission on Terrorist Attacks Upon the United States, a.k.a. "The 9/11 Commission Report," published in 2004.

Following 9/11, the BBC published a brief history of airline hijackings. The 2003 Centennial of Flight web site provides a more general summary of violent incidents in aviation security. In 2007, New York Magazine published a more detailed hijacking time-line in conjunction with breaking news on the D. B. Cooper hijacking case. The US FBI web site contains a lot of information about the D. B. Cooper case, including a 2007 update.

Here is a 30 second video clip of traditional aircraft hijacking. The History.com web site provides several videos of the 9/11 attack from different vantage points on its Witness to 9/11 web page.

Checklist for a High-Level Security Analysis

The textbook presents a high-level security analysis as a short writing exercise that summarizes a security situation. The analysis generally describes a situation at a particular point in time. For example, the 9/11 discussion in the textbook describes air travel security before 9/11. The analysis describes the six phases of the security process:

Assets
Risks
Policy
Implementation
Monitoring
Recovery

Here is a checklist of the basic properties of a high-level analysis:

Is the analysis at least seven paragraphs long?
Is the analysis too long? A typical analysis should be no more than 14 paragraphs long unless it addresses a really unusual subject area that requires extra explanation.
Do the initial paragraphs introduce the scenario?
Are there six headings following the introductory paragraph, one per phase?
Is there at least one paragraph discussing each phase?

Note that a complete security plan will also cover the six phases, but it is not limited to this length. A complete plan covers each phase thoroughly.

2: Controlling a Computer

Study Acronyms and Terms

Visit the Quizlet web site to find study aids for the chapter's acronyms and terms by following the links below. Many students prefer to study the acronyms first.

Computer Internals

Here is a 26-minute video of middle school students visiting a "walk through" computer to learn the basics of computer operation. Taken from the PBS TV series "Newton's Apple," 1990. Although the technology is over 20 years old, the fundamental components remain the same, except for speed speed, size, and capacity.

There are, of course, countless images and videos available through on-line searching that show specific elements of computer systems.

Binary Numbers and Hexadecimal Notations

Students who have not yet studied these topics in detail will want to visit web sites that provide an introduction to binary and hex. YouTube user Ryan of Aberdeen has created a video tutorial (9 minutes). There are also written tutorials:

The Morris worm

A faculty member at NC State University maintains a site that provides an overview of the Morris worm.

Eugene Spafford (aka spaf) wrote a report describing the worm, its operations, and its effects (PDF), shortly after the incident.

Eichin and Rochlis of MIT published a report of the worm incident from the MIT perspective (PDF). This was presented at the IEEE Symposium on Security and Privacy the following year.

In 1990, Peter Denning published a book that brought together several papers on the Morris worm and other security issues emerging at that time, titled Computers Under Attack: Intruders, Worms and Viruses.

Spafford also maintains an archive of worm-related information at Purdue University.

Open Design

Auguste Kerckhoffs' original paper on cryptographic system design recommended that cryptographic systems be published and that secrecy should reside entirely in a secret key. The paper was published in French in 1883. Portions of Kerckhoffs' paper are available on-line including partial English translations.

Claude Shannon's "Communication Theory of Secrecy Systems" (Bell System Technical Journal, vol. 28, no. 4, 1949) contains his assumption "the enemy knows the system being used" (italics his). Bell Labs provides general information about Shannon's work and publications.

Eric Raymond published a famous essay on the benefits of open design and of sharing program source code in general, called "The Cathedral and The Bazaar." This essay has inspired many members of the Open Source community.

Program and Process Security

Butler Lampson introduced the access matrix in his 1971 paper, "Protection." Lampson has posted a copy of his paper on-line in several formats.

Identifying Motherboard Features

This is, unfortunately, a lot harder than it seems. As RAM has grown smaller and I/O grown more complex, motherboard components have changed dramatically in size and appearance. Here are suggestions on identifying key features in older and newer motherboards.

CPU - The CPU is generally covered by a large, louvered object called a heat sink, and is often held in place by a lever or catch. The heat sink is often glued to the top of the CPU. In some cases you must remove the heat sink to remove the CPU, while in other cases they are removed as a single unit. Higher performance CPUs may have fans or liquid cooling systems attached to the heat sink.
RAM - these have resided on daughterboards for many years now. The daughterboards usually - but not always - plug directly into the motherboard. Each daughterboard will typically be long and thin to handle a row of individual RAM circuits. As a motherboard gets older and the RAM becomes more dense, there are fewer and fewer RAM circuits on each daughterboard.
I/O circuits - the latest CPUs have special-purpose I/O circuits that are as large and power-hungry as the CPUs themselves. These may often carry their own heat sinks. Unlike the CPUs, though, a motherboard is often built around the I/O circuits. Thus, the I/O circuits are built in to the motherboard, while the CPU is added by the computer builder. In Figure 2.1 of the textbook (page 44), the large, unmarked metal object in the center of the motherboard is the heat sink for an I/O circuit.
I/O connectors - these are the easiest items to identify. They always mate with standardized cables to power supplies or to peripheral devices. There are often PCI connectors that accept daughterboards with specialized I/O circuits. There is often an additional high-performance connector for attaching a graphics circuit.
BIOS ROM - this is hard to spot on the newest devices because ROM circuits have grown so tiny. On old motherborads, the BIOS appears as a distinct row of ROM chips. On the latest, there may be only one or two chips interspersed among others on the board.

The most reliable way to identify a motherboard's contents is to locate a copy of its installation manual. These are usually posted on the web by the motherboard's manufacturer. Most boards clearly include the manufacturer's name and the board's model number.

If the manufacturer and model number aren't obvious, it may be possible to identify the motherboard using Google Images. Enter the word "motherboard" as a search term along with other textual items on the board. Compare the images displayed with the color and layout of the motherboard in question. Keep in mind everything should match when you find the correct board. Missing or misplaced features indicate that the boards don't match. A popular motherboard may appear many times, but most images will lead to pages that indicate the manufacturer and model. In some cases, the image may lead directly to the manufacturer's own pages.

3: Controlling Files

Study Acronyms and Terms

Visit the Quizlet web site to find study aids for the chapter's acronyms and terms by following the links below. Many students prefer to study the acronyms first.

Computer Viruses

Security consultant Fred Cohen performed much of the pioneering analysis of computer viruses. His web site contains several useful articles on virus technology. Even though some of the material is 30 years old, the basic technical truths remain unchanged.

Introduction to viruses from the 80s: This is a version of paper he presented 2 or 3 times in the late 1980s. It's a subset of material appearing in his book A Short Course on Computer Viruses.
Encyclopedia entry on viruses from 1990: A brief but in-depth discussion of virus technology. The entry describes attacks on military multilevel secure computers.

Some anti-virus vendors provide summaries of current anti-virus and malware activities:

Modern Malware

Here is a list of malware briefly described in the textbook, plus links to in-depth reports on each one. Check recent news: security experts occasionally make progress in eradicating one or another of these, but the botnets sometimes recover. Many of these are PDFs.

Waledac/Storm - reports by SRI, Symantec (updated)
Conficker, also called Downadup - Reports by SRI, Symantec
Pushdo/Cutwail - reports by Trend Micro (PDF), Fortiguard
ZeuS - reports by Symantec, Dell SecureWorks
Stuxnet - reports by Symantec, Christian Science Monitor, CNET News

Videos: Ralph Langer, a German expert in control systems security, gave a TED talk describing Stuxnet (~11 minutes). Bruce Dang of Microsoft also gave a detailed presentation about Stuxnet (75 minutes) at a conference.

Access Rights and Capabilities

Butler Lampson introduced the access matrix in his 1971 paper, "Protection" (PDF). Lampson has posted a copy on-line in several formats.

Although most modern systems use resource-oriented permissions to control access rights, there are a few cases that use capabilities, which associate rights with active entities like programs and users. Jack Dennis and Earl Van Horn of MIT introduced the notion of capabilities in their 1965 report "Programming Semantics for Multiprogrammed Computers," which was published in Communications of the ACM in 1966.

Marc Stiegler has posted an interesting introduction to capability based security that ties it to other important security concepts. The EROS OS project has also posted an essay that explains capability-based security. For a thorough coverage of capability based architecture circa 1984, see Henry Levy's book Capability-Based Computer Systems. He has posted it on-line.

Microsoft has posted an article that describes access control on Windows files and on the Windows "registry," a special database of system-specific information.

State Diagrams

Electrical engineers have relied on state diagrams for decades to help design complicated circuits. The technique is also popular with some software engineers, though it rarely finds its way into courses on computer programming. Any properly-constructed state diagram may be translated into a state table that provides the same information in a tabular form. Tony Kuphaldt's free on-line textbook Lessons in Electric Circuits explains state machines in the context of electric circuits in Volume IV, Chapter 11: Sequential Circuits-Counters.

Upper-lever computer science students may encounter state diagrams in a course on automata theory in which they use such diagrams to represent deterministic finite automata. Such mechanisms can handle the simplest type of formal language, a regular grammar. Most people encounter regular grammars as regular expressions, an arcane syntax used to match text patterns when performing complicated search-and-replace operations in text editors.

Students introduced to modern structured design techniques using the Unified Modeling Language (UML) often use state machine diagrams or state charts (a diagram in table form). On-line tutorials about UML state machines appear at Kennesaw State University and the Agile Modeling web site.

Tracking and Managing Security Flaws

In the US, there are several organizations that track and report on information security vulnerabilities. Many of these organizations provide email alerts and other data feeds to keep subscribers up to date on emerging vulnerabilities. Some organizations provide their services to particular communities (e.g. government or military organizations, or customers of a vendor's products) while others provide reports to the public at large.

US-CERT Vulnerability Notes - a list maintained by the US Department of Homeland Security
National Vulnerability Database - a list maintained by NIST to assist agencies in complying with federal standards
Common Vulnerabilities and Exposures (CVE) - a project sponsored by the US government to provide standard, common names for publicly known information security vulnerabilities.

The SANS Internet Storm Center also provides a variety of on-line news feeds and reports, as well as a continuously-updated "Infocon Status" to indicate unusual changes in the degree of malicious activity on the Internet. Click on the image below to visit the Internet Storm Center for further information on current vulnerabilities and malicious Internet activity.

In 2000, Arbaugh, Fithen, and McHugh wrote an article describing a life-cycle model of information security vulnerabilities titled "Windows of Vulnerability: A Case Study Analysis", (IEEE Computer 33, December 2000). The authors have posted a copy of the article online (PDF).

The Trojan Horse

The library at Stanford posted a brief history of the Trojan War. Although Homer's Iliad tells the story of the Trojan War, it says very little about the Greek trickery that led to the city's fall. The story is more the province of Virgil's Aeneid.

Trojan horse by Henri Motte, Paris, 1873

In the 1970s, Guy Steele at MIT started collecting bits of jargon used in the computer community. This yielded "The Jargon File," which Steele maintained for several years until it was passed on to Eric Raymond. According to the Jargon File, the term Trojan horse entered the computing lexicon via Dan Edwards of MIT and the NSA.

US-CERT has published a two-page guide on how to deal with a Trojan horse or virus infection on a computer (PDF).

4: Sharing Files

Study Acronyms and Terms

Visit the Quizlet web site to find study aids for the chapter's acronyms and terms by following the links below. Many students prefer to study the acronyms first.

File Permission Flags - Unix Style

There are numerous on-line tutorials on Unix and/or Linux file permissions, including ones provided by:

Several people have also posted videos explaining file permissions,
including thedangercobra, theurbanpenguin, and elithecomputerguy.

Access Control Lists

ACLs first appeared in the Multics timesharing system, as described in the paper "A General-Purpose File System For Secondary Storage," by R. Daley and Peter Neumann (Proc. 1965 Fall Joint Computer Conference) and on the Multicians web site.

Since ACLs could provide very specific access restrictions, they became recommended features of high-security systems. When the US DOD developed the "Trusted Computer System Evaluation Criteria," (PDF) (a.k.a. the TCSEC or Orange Book) ACLs were an essential feature of higher security systems. Modern security products are evaluated against the Common Criteria.

POSIX ACLs

While traditional Unix systems did not have ACLs, more advanced versions of Unix incorporated them, partly to meet high security requirements like those in the Orange Book. This led to the development of POSIX ACLs as part of a proposed POSIX 1003.1e standard. The standards effort was abandoned, but several Unix-based systems did incorporate POSIX ACLs. Here are examples:

FreeBSD
SuSE Linux

Mac OS-X ACLs

The ACL user interface on Mac OS-X is very simple. In fact, the OS-X ACLs are based on POSIX ACLs and may incorporate more spohisticated settings and inheritances than we see in the Finder's "Information" display. These features are available through special ACL options of the chmod shell command. One developer has produced an application called Sandbox that provides a more extensive GUI for managing the ACLs.

Windows ACLs

It can be challenging to find accurate online information about Windows ACLs, because the computer-based access controls are often confused with network-based access controls. The MS Developer Network provides general information about ACLs.

Researchers at CMU evaluated the Windows XP version of ACLs in a series of experiments documented in "Improving user-interface dependability through mitigation of human error," Intl J. Human-Computer Studies 63 (2005) 25-50, by Maxion and Reeder.

5: Storing Files (uc)

Under Construction

Study Acronyms and Terms

Visit the Quizlet web site to find study aids for the chapter's acronyms and terms by following the links below. Many students prefer to study the acronyms first.

TBD

5: Memory Sizes: kilo mega giga tera peta exa

Here is a summary of memory size names and their corresponding address sizes. Many people memorize this type of information naturally through working with computer technology over time or during a professional career.

Names for large numbers

Practicing with Quizlet

If you want to memorize these values, visit the Quizlet page. The page tests your knowledge of the smaller sizes (K, M, G, T), how these sizes are related (i.e. a terabyte is a thousand billion bytes), and how they relate to memory sizes (a TB needs an address approximately 40 bits long).

Address Size Shortcut

Here is a simple shortcut for estimating the number of bits required to address storage of a given size.

10³ ~ 2¹⁰

To put this into practice, we do the following:

Count the number of sets of three zeros (the "thousands") in the storage size.
Multiply the number of thousands by ten

Let's work out an example with a terabyte: a trillion-byte memory.

In a trillion (1,000,000,000,000) there are 4 sets of three zeroes
Multiply 4 by 10, and we get approximately 40 bits.

6: Authenticating People (tbd)

UNDER CONSTRUCTION

A Comprehensive Model of Information System Security

Two educational standards in information system security refer to closely-related models of information system security. First, we have a US government training standard:

Standard: NSTISSI 4011: National Training Standard for Information Systems Security (INFOSEC) Professionals
Model: J. R. McCumber, "Information Systems Security: A Comprehensive Model"

Second, we have an academic curriculum standard:

Standard: ACM's Information Technology 2008 curriculum guidelines
Model: Maconachy, Schou, Ragsdale, and Welch, "A Model for Information Assurance"