安全之美

前言

|F ONE BELIEVES THAT NEWS HEADLINES REVEAL TRENDS, THESE ARE INTERESTING times forcomputer security buffs. As Beautiful Securitywent to press, I read that a piece of softwarecapable of turning on microphones and cameras and stealing data has been discovered on morethan 1,200 computers in 103 countries, particularly in embassies and other sensitivegovernment sites. On another front, a court upheld the right of U.S. investigators to look atphone and Internet records without a warrant （so long as one end of the conversation is outsidethe U.S.）. And this week's routine vulnerabilities include a buffer overflow in Adobe Acrobatand Adobe Reader——with known current exploits——that lets attackers execute arbitrary codeon your system using your privileges after you open their PDF.Headlines are actually not good indicators of trends, because in the long run history is drivenby subtle evolutionary changes noticed only by a few——such as the leading security expertswho contributed to this book. The current directions taken by security threats as well asresponses can be discovered in these pages.All the alarming news items I mentioned in the first paragraph are just business as usual in thesecurity field. Yes, they are part of trends that should worry all of us, but we also need to lookat newer and less dramatic vulnerabilities. The contributors to this book have, for decades,been on the forefront of discovering weaknesses in our working habits and suggestingunconventional ways to deal with them.

内容概要

尽管大多数人在他们个人或者公司的系统没有遭到攻击之前不会给予安全高度的重视，这本充满激辩的书籍依然表明了数字安全不仅仅是值得思考而已，它还是一个可以令人陶醉的话题。罪犯通过大量富有创造力的行为得以成功，防御方也需要付出同等的代价。　　本书通过一些有着深刻见解的文章和分析探索了这样一个具有挑战性的主题，其内容包括：　　个人信息的秘密机制：它如何工作，罪犯之间的关系，以及一些他们针对被掠食对象发起突袭时所使用的新方法　　社交网络、云计算和其他流行趋势如何帮助和伤害我们的在线安全　　衡量标准、需求收集、设计和法律如何能够把安全提升到一个更高的高度　　PGP真实又少为人知的历史

作者简介

编者：（美国）奥莱姆（Andy Oram） （美国）卫加（John Viega）

书籍目录

PREFACE1　PSYCHOLOGICAL SECURITY TRAPS　by Peiter“Mudge”Zatko  Learned Helplessness and NaTvet6  Confirmation Traps  FunctionaI Fixation  Summary2　WIRELESS NETWORKING：FERTILE GROUND FOR SOCIAL ENGINEERING　byJim Stickle),  Easy Money  Wi reless Gone Wild  Still．Wireless Is the Future3　BEAUTIFUL SECURITY METRICS　byElizabeth A．Nichols  Security Metrics by Analogy：Health  Security Metrics by Example  Summary4　THE UNDERGROUND ECONOMY OF SECURITY BREACHES  by Chenxi Wang  The Makeup and Infrastructure ofthe Cyber Underground  The Payoff  How Can We Combat This Growing Underg'round Economy?  Summary5  BEAUTlFUL TRADE：RETHINKlNG E．COMMERCE SECURITY  byEdBellis  DeconslructIng Commerce  Weak Amelioration Attempts  E-Commerce Redone：A New Security Model  The New ModeI6  SECURING ONLINE ADVERTISlNG：RUSTLERS AND SHERIFFS IN THE NEW WILD WEST  by Benjamin Edelman  Attacks on Users  Advertisers As Vi Clims  Creating Accountability in Online Advertising7　THE EVOLUTl0N OF PGP’S WEB OF TRUST  byPhil Zimmermann andJon Callas  PGP and OpenPGP  Trust，Validity，and Authority  PGP and C rypto History  Enhancements to the Original Web of Trust Model  Interesting A reas for Further Research   References8　OPEN SOURCE HONEYCLIENT：PROACTIVE DETECTION OF CLIENT．SIDE EXPLOITS　byKathywang  Enter Honeyclients  Introducing the World’S Fi rst Open Source Honeyclient  Second-Generation Honeyclients  Honeyclient OperationaI Results  Analysis of Exploits  Limitations ofthe Current Honeyclient Implementation  Related Work  The Future of Honeyclients9　TOMORROW’S SECURITY COGS AND LEVERS　byMark Curphey  Cloud Computing and Web Services：The Single Machine Is Here  ConnectimJ People，Process，and Technology：The Potential for Business Process Management  Social Networkin9：When People Start Communicatin9，Big Things Change  Information Security Economics：Supercrunching andthe New Rules oftheGrid  Platforms ofthe Lon9·Tail Variety：Why the Future Will Be Different for Us All  Conclusion  Acknowledgmenls10　SECURITY BY DESIGN　byJohn McManus  Metrics with No Meaning  Time to Market or Time to Quality?  How a Di sciplined System Development Lifecycle Can Help  Conclusion：Beautiful Security Is an Attribute of Beautiful Systems11  FORClNG FIRMS TO FOCUS：IS SECURE SOFTWARE IN YOUR FUTURE?  byJim Routh  Implicit Requi remenls Can StilI Be Powerful  How One Firm Came to Demand Secure Software  Enforcing Security in Off—the—ShelfSoftware  Analysis：How to Make the World’S Software More Secure12　0H N0，HERE COME THE INFOSECURITY LAWYERS!　byRandyv.Sabett  Culture  Balance  Communication  Doing the Right Thing13  BEAUTIFUL LOG HANDLING  byAnton Chuuakin  Logs in Security Laws and Standards  Focus on Logs  When Logs Are Invaluable  Challenges with Logs  Case Study：Behind a Trashed Server  Future Logging  Conclusions14　INCIDENT DETECTION：FINDING THE OTHER 68％　by Grant Geyer and Brian Dunphy  A Common Starting Point  Improving Detection with Context  Improving Perspective with Host Logging  Summary15　DOING REAL WORK WITHOUT REAL DATA  by Peter Wayner  How Data Translucency Works  A Real．Life Example  PersonaI Data Stored As a Convenience  Trade—offs  Going Deeper  References16  CASTING SPELLS：PC SECURITY THEATER  by Michael Wood and Fernando Francisco  Growing Attacks．Defenses in Retreat  The lIlusion Revealed  Better Practices for Desktop Security  Conclusion  CONTRIBUTORS  INDEX

章节摘录

插图：In a flat world, workforces are decentralized. Instead of being physically connected in officesor factories as in the industrial revolution, teams are combined onto projects, and in manycases individuals combined into teams, over the Internet.Many security principles are based on the notion of a physical office or a physical or logicalnetwork. Some technologies （such as popular file-sharing protocols such as Common InternetFile System [CIFS] and LAN-based synchronization protocols such as Address ResolutionProtocol [ARP]） take this local environment for granted. But those foundations becomeirrelevant as tasks, messages, and data travel a mesh of loosely coupled nodes.The effect is similar to the effects of global commerce, which takes away the advantage ofrenting storefront property on your town's busy Main Street or opening a bank office near abusy seaport or railway station. Tasks are routed by sophisticated business rules engines thatdetermine whether a call center message should be routed to India or China, or whether thecheapest supplier for a particular good has the inventory in stock.BPM software changes the very composition of supply chains, providing the ability todynamically reconfigure a supply chain based on dynamic business conditions. Businesstransactions take place across many companies under conditions ranging from microsecondsto many years. Business processes are commonly dehydrated and rehydrated as technologiesevolve to automatically discover new services. The complexity and impact of this way ofworking will only increase.

媒体关注与评论

“这一系列富有思想性的文章使读者可以超越对于耀眼的安全技术的恐惧、不确定和怀疑，从而能够感受到那些需要立即处理的安全问题的更多微妙之美。《安全之美》展示了安全的阴阳两面，以及壮观的破坏力和灿烂的创造力之间基础性的张力。”  　　——Gary McGraw，Cigital的CTO，《Software Security》和其他九本书的作者

图书封面

图书标签Tags

无

评论、评分、阅读与下载

---

    安全之美 PDF格式下载

---