Computer Security Basics

There's a lot more consciousness of security today, but not a lot of understanding of what it means and how far it should go. Nobody loves security, but most people — users, system administrators, and managers alike — are starting to feel that they'd better accept it, or at least try to understand it.

This handbook describes security concepts like trusted systems, cryptography, mandatory access control, and biometrics in simple terms. It gives you the basic concepts you need to know to be able to protect your system and your data. It also explains the government and industry security standards that affect today's computer systems and vendors.

For example, most U.S. government equipment acquisitions now require "Orange Book" (Trusted Computer System Evaluation Criteria) certification. Computer Security Basics contains a more readable introduction to the Orange Book than any other book or government publication.

Contents include:

• Introduction — basic computer security terms and concepts, what security is good for, the Internet worm and other security breaches
• Access controls — logins, passwords, discretionary and mandatory access controls on data
• A summary of Orange Book classes and security requirements
• Communications, network, and encryption security
• Physical security, biometric devices, and TEMPEST
• Appendices — a complete security glossary, reference tables, other sources of security information

1. Overview
1. Introduction
• Attack of the Giant Worm (and Other Tales)
• What is Computer Security?
  • A Broader Definition of Security
  • Secrecy and Confidentiality
  • Accuracy, Integrity, and Authenticity
  • Availability
• Threats to Security
  • Vulnerabilities
  • Threats
  • Countermeasures
• Why Buy Security?
  
  • Government Requirements
  • Information Protection
• What’s a User to Do?
2. Some Security History
• Information and Its Controls
• Computer Security: Then and Now
• Early Computer Security Efforts
  • Tiger Teams
  • Research and Modeling
  • Secure Systems Development
• Building Toward Standardization
  • Standards for Secure Systems
  • Standards for Cryptography
  • Standards for Emanations
• Computer Security Mandates and Legislation
  • nsdd 145
  • ntissp 2
  • The Balancing Act
  • Computer Fraud and Abuse Act
  • Computer Security Act
  • Searching for a Balance
  • Recent Government Security Initiatives
• Privacy Considerations
• International Security Activity
• The Growth of Modern Standards
2. II. Computer Security
3. Computer System Security and Access Controls
• What Makes a System Secure?
• System Access: Logging Into Your System
  • Identification and Authentication
  • Protecting Passwords
• Data Access: Protecting Your Data
  • Discretionary access control
  • Mandatory access control
4. Viruses and Other Wildlife
• Viruses
• Worms
• Trojan Horses
• Bombs
• Trap Doors
• Spoofs
• Other Wildlife
• Remedies
5. Secure System Planning and Administration
• Administrative Security
• Overall Planning and Administration
  • Analyzing Costs and Risks
  • Planning for Disaster
  • Setting Security Rules for Employees
  • Training Users
• Day-to-Day Administration
  • Performing Backups
  • Performing a Security Audit
• Separation of Duties
6. Inside the Orange Book
• Introduction to the Orange Book
• A Summary of Security Concepts
  • What's a Trusted System?
  • Measuring Trust
  • Trusted Computing Base
  • Security Policy
  • Security Model
  • Security Kernel
  • Security Perimeter
• Orange Book Evaluation Classes
  • Comparison of Evaluation Classes
  • Complaints About the Orange Book
• Evaluations of Secure Systems
• Security Policy Requirements
  • Discretionary Access Control
  • Object Reuse
  • Labels
  • Mandatory Access Control
• Accountability Requirements
  • Identification and Authentication
  • Trusted Path
  • Audit
• Assurance Requirements
  • Operational Assurance
  • Life-cycle Assurances
• Documentation Requirements
  • Security Features User's Guide
  • Trusted Facility Manual
  • Test Documentation
  • Design Documentation
• Summary of Classes
  • D Systems: Minimal Security
  • C1 Systems: Discretionary Security Protection
  • C2 Systems: Controlled Access Protection
  • B1 Systems: Labeled Security Protection
  • B2 Systems: Structured Protection
  • B3 Systems: Security Domain
  • A1 Systems: Verified Design
• Compartmented Mode Workstation
• Government Computer Security Programs
3. Communications Security
7. Encryption
• Some History
• What Is Encryption?
  • Why Encryption?
  • Transposition and Substitution Ciphers
  • Cryptographic Keys: Private and Public
  • Key Management and Distribution
  • One-Time Pad
• The Data Encryption Standard
  
  • What Is the DES?
  • Application of the DES
• Other Cryptographic Algorithms
  
  • Variants on the DES
  • Publioc Key Algorithms
  • The RSA Algorithm
  • Digital Signatures and Notaries
  • Government Algorithms
• Message Authentication
• Encryption in Banking and Financial Applications
• Government Cryptographic Program
• NSA
• NIST
• Treasury
• Cryptographic Export Restrictions
8. Communications and Network Security
• What Makes Communication Secure?
  • Communications Vulnerabilities
  • Communications Threats
• Modems
• Networks
  • Network Terms
  • Protocols and layers
  • Some Network History
• OSI Model
• Network Security
  
  • Trusted Networks
  • Perimeters and Gateways
  • Security in Heterogeneous Environments
  • Encrypted Communications
• The Red Book and Government Network Evaluations
  • TCSEC Requirements
  • Other Security Services
• Some Network Security Project
  • DISNet and Blacker
  • SDNS
  • Kerberos
  • Project MAX
  • Secure NFS
4. Other Types of Security
9. Physical Security and Biometrics
• Physical Security
  • Natural Disasters
  • Risk Analysis and Disaster Planning
• Locks and Keys: Old and New
  • Types of Locks
  • Tokens
  • Challenge-Response Systems
  • Cards: Smart and Dumb
• Biometrics
  • Fingerprints
  • Handprints
  • Retina Patterns
  • Voice Patterns
  • Signature and Writing Patterns
  • Keystrokes
  • Signature and Writing Patterns
10. TEMPEST
• The Problem of Emanations
• The TEMPEST Program
• How To Build TEMPEST Products
• TEMPEST Standards and Restrictions
  
  • TEMPEST Standards
  • TEMPEST Export Restrictions
• Who Cares About TEMPEST?
  • Is TEMPEST Needed?
  • Changing TEMPEST Concepts
• Government TEMPEST Programs
5. Appendixes
1. Acronyms
2. Computer Security Legislation
3. Orange Book and Other Summaries
• Orange Book (TCSEC) Requirements
• Compartmented Mode Workstation (CMW) Requirements
• System High Workstation (SHW) Requirements
• International Security (ITSEC) Requirements
4. Computer Security Programs
Computer Security Programs
• The Role of NCSC
• The Role of NIST
• Trusted Product Evaluation Program (TPEP)
• Evaluation of Network Products
• Evaluations of Database Management Systems
• Evaluations of Security Subsystem Products
• Formal Verification Systems Evaluation Program (FVSEP)
• Degausser Products List
• Rating Maintenance Phase (RAMP) Program
• System Certification and Accreditation
• DOCKMASTER
• Technical Vulnerability Reporting Program
• Communications Security Programs
• Commercial COMSEC Endorsement Program
• CCEP Eligibility
• CCEP Program Steps
• Government Endorsed DES Equipment Program
• EFT Certification Program
• Protected Network Services List
• Off-line System List (OLSL)
• Restrictions on Cryptographic Products
• TEMPEST Security Programs
• Industrial TEMPEST Program and Preferred Products List
• Endorsed TEMPEST Products Program
• Endorsed TEMPEST Test Services Program
• Endorsed TEMPEST Test Instrumentation Program
5. A Security Source Book
• Government Publications
  • The Rainbow Series
  • Other NSA Publications
  • FIPS PUBS
  • NIST Special Publications
  • Other NIST Publications
  • Compartmented Mode Workstation (CMW) Publications
  • COMSEC Program Publications
  • TEMPEST Program Publications
  • Other Security-relevant Government Publications
• Government Program Contact Points
  • Computer Security (COMPUSEC) Programs
  • Communications Security (COMSEC) Programs
  • TEMPEST Programs
  • Other Government Contacts
• Emergency Organizations
• Standards Organizations
• Security User Groups
• Electronic Groups
  • USENET
  • Commercial bulletin Boards
  • NCSC DOCKMASTER
  • NIST Computer Security Bulletin Board
• Computer Security Periodicals
• Computer Security Books
  • Conference Proceedings
  • Computer Security Textbooks
  • Viruses and Other Programmed Threats
  • Computer Crime and Ethics
  • Of General Interest

A classic book that still can be used.