安全之美

前言

|F ONE BELIEVES THAT NEWS HEADLINES REVEAL TRENDS, THESE ARE INTERESTING times forcomputer security buffs. As Beautiful Securitywent to press, I read that a piece of softwarecapable of turning on microphones and cameras and stealing data has been discovered on morethan 1,200 computers in 103 countries, particularly in embassies and other sensitivegovernment sites. On another front, a court upheld the right of U.S. investigators to look atphone and Internet records without a warrant （so long as one end of the conversation is outsidethe U.S.）. And this week's routine vulnerabilities include a buffer overflow in Adobe Acrobatand Adobe Reader——with known current exploits——that lets attackers execute arbitrary codeon your system using your privileges after you open their PDF.Headlines are actually not good indicators of trends, because in the long run history is drivenby subtle evolutionary changes noticed only by a few——such as the leading security expertswho contributed to this book. The current directions taken by security threats as well asresponses can be discovered in these pages.All the alarming news items I mentioned in the first paragraph are just business as usual in thesecurity field. Yes, they are part of trends that should worry all of us, but we also need to lookat newer and less dramatic vulnerabilities. The contributors to this book have, for decades,been on the forefront of discovering weaknesses in our working habits and suggestingunconventional ways to deal with them.

內(nèi)容概要

盡管大多數(shù)人在他們個人或者公司的系統(tǒng)沒有遭到攻擊之前不會給予安全高度的重視，這本充滿激辯的書籍依然表明了數(shù)字安全不僅僅是值得思考而已，它還是一個可以令人陶醉的話題。罪犯通過大量富有創(chuàng)造力的行為得以成功，防御方也需要付出同等的代價?！　”緯ㄟ^一些有著深刻見解的文章和分析探索了這樣一個具有挑戰(zhàn)性的主題，其內(nèi)容包括：　　個人信息的秘密機制：它如何工作，罪犯之間的關(guān)系，以及一些他們針對被掠食對象發(fā)起突襲時所使用的新方法　　社交網(wǎng)絡(luò)、云計算和其他流行趨勢如何幫助和傷害我們的在線安全　　衡量標(biāo)準(zhǔn)、需求收集、設(shè)計和法律如何能夠把安全提升到一個更高的高度　　PGP真實又少為人知的歷史

作者簡介

編者：（美國）奧萊姆（Andy Oram） （美國）衛(wèi)加（John Viega）

書籍目錄

PREFACE1　PSYCHOLOGICAL SECURITY TRAPS　by Peiter“Mudge”Zatko  Learned Helplessness and NaTvet6  Confirmation Traps  FunctionaI Fixation  Summary2　WIRELESS NETWORKING：FERTILE GROUND FOR SOCIAL ENGINEERING　byJim Stickle),  Easy Money  Wi reless Gone Wild  Still．Wireless Is the Future3　BEAUTIFUL SECURITY METRICS　byElizabeth A．Nichols  Security Metrics by Analogy：Health  Security Metrics by Example  Summary4　THE UNDERGROUND ECONOMY OF SECURITY BREACHES  by Chenxi Wang  The Makeup and Infrastructure ofthe Cyber Underground  The Payoff  How Can We Combat This Growing Underg'round Economy?  Summary5  BEAUTlFUL TRADE：RETHINKlNG E．COMMERCE SECURITY  byEdBellis  DeconslructIng Commerce  Weak Amelioration Attempts  E-Commerce Redone：A New Security Model  The New ModeI6  SECURING ONLINE ADVERTISlNG：RUSTLERS AND SHERIFFS IN THE NEW WILD WEST  by Benjamin Edelman  Attacks on Users  Advertisers As Vi Clims  Creating Accountability in Online Advertising7　THE EVOLUTl0N OF PGP’S WEB OF TRUST  byPhil Zimmermann andJon Callas  PGP and OpenPGP  Trust，Validity，and Authority  PGP and C rypto History  Enhancements to the Original Web of Trust Model  Interesting A reas for Further Research   References8　OPEN SOURCE HONEYCLIENT：PROACTIVE DETECTION OF CLIENT．SIDE EXPLOITS　byKathywang  Enter Honeyclients  Introducing the World’S Fi rst Open Source Honeyclient  Second-Generation Honeyclients  Honeyclient OperationaI Results  Analysis of Exploits  Limitations ofthe Current Honeyclient Implementation  Related Work  The Future of Honeyclients9　TOMORROW’S SECURITY COGS AND LEVERS　byMark Curphey  Cloud Computing and Web Services：The Single Machine Is Here  ConnectimJ People，Process，and Technology：The Potential for Business Process Management  Social Networkin9：When People Start Communicatin9，Big Things Change  Information Security Economics：Supercrunching andthe New Rules oftheGrid  Platforms ofthe Lon9·Tail Variety：Why the Future Will Be Different for Us All  Conclusion  Acknowledgmenls10　SECURITY BY DESIGN　byJohn McManus  Metrics with No Meaning  Time to Market or Time to Quality?  How a Di sciplined System Development Lifecycle Can Help  Conclusion：Beautiful Security Is an Attribute of Beautiful Systems11  FORClNG FIRMS TO FOCUS：IS SECURE SOFTWARE IN YOUR FUTURE?  byJim Routh  Implicit Requi remenls Can StilI Be Powerful  How One Firm Came to Demand Secure Software  Enforcing Security in Off—the—ShelfSoftware  Analysis：How to Make the World’S Software More Secure12　0H N0，HERE COME THE INFOSECURITY LAWYERS!　byRandyv.Sabett  Culture  Balance  Communication  Doing the Right Thing13  BEAUTIFUL LOG HANDLING  byAnton Chuuakin  Logs in Security Laws and Standards  Focus on Logs  When Logs Are Invaluable  Challenges with Logs  Case Study：Behind a Trashed Server  Future Logging  Conclusions14　INCIDENT DETECTION：FINDING THE OTHER 68％　by Grant Geyer and Brian Dunphy  A Common Starting Point  Improving Detection with Context  Improving Perspective with Host Logging  Summary15　DOING REAL WORK WITHOUT REAL DATA  by Peter Wayner  How Data Translucency Works  A Real．Life Example  PersonaI Data Stored As a Convenience  Trade—offs  Going Deeper  References16  CASTING SPELLS：PC SECURITY THEATER  by Michael Wood and Fernando Francisco  Growing Attacks．Defenses in Retreat  The lIlusion Revealed  Better Practices for Desktop Security  Conclusion  CONTRIBUTORS  INDEX

章節(jié)摘錄

插圖：In a flat world, workforces are decentralized. Instead of being physically connected in officesor factories as in the industrial revolution, teams are combined onto projects, and in manycases individuals combined into teams, over the Internet.Many security principles are based on the notion of a physical office or a physical or logicalnetwork. Some technologies （such as popular file-sharing protocols such as Common InternetFile System [CIFS] and LAN-based synchronization protocols such as Address ResolutionProtocol [ARP]） take this local environment for granted. But those foundations becomeirrelevant as tasks, messages, and data travel a mesh of loosely coupled nodes.The effect is similar to the effects of global commerce, which takes away the advantage ofrenting storefront property on your town's busy Main Street or opening a bank office near abusy seaport or railway station. Tasks are routed by sophisticated business rules engines thatdetermine whether a call center message should be routed to India or China, or whether thecheapest supplier for a particular good has the inventory in stock.BPM software changes the very composition of supply chains, providing the ability todynamically reconfigure a supply chain based on dynamic business conditions. Businesstransactions take place across many companies under conditions ranging from microsecondsto many years. Business processes are commonly dehydrated and rehydrated as technologiesevolve to automatically discover new services. The complexity and impact of this way ofworking will only increase.

媒體關(guān)注與評論

“這一系列富有思想性的文章使讀者可以超越對于耀眼的安全技術(shù)的恐懼、不確定和懷疑，從而能夠感受到那些需要立即處理的安全問題的更多微妙之美?！栋踩馈氛故玖税踩年庩杻擅?，以及壯觀的破壞力和燦爛的創(chuàng)造力之間基礎(chǔ)性的張力?！? 　　——Gary McGraw，Cigital的CTO，《Software Security》和其他九本書的作者

圖書封面

圖書標(biāo)簽Tags

無

評論、評分、閱讀與下載

---

    安全之美 PDF格式下載

---