DOCSLIB.ORG

Information Technology Security Handbook

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Information Technology Security Handbook IT-SECURITY INFORMATION TECHNOLOGY SECURITY HANDBOOK by George Sadowsky James X. Dempsey Alan Greenberg Barbara J. Mack Alan Schwartz © 2003 The International Bank for Reconstruction and Development / The World Bank 1818 H Street, NW Washington, DC 20433 Telephone 202-473-1000 Internet www.worldbank.org E-mail [email protected] All rights reserved. The findings, interpretations, and conclusions expressed herein are those of the author(s) and do not necessarily reflect the views of the Board of Executive Directors of the World Bank or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of the World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. This Handbook is distributed on the understanding that if legal or other expert assistance is required in any particular case, readers should not rely on statements made in this Handbook, but should seek the services of a competent professional. Neither the authors, nor the reviewers or The World Bank Group accepts responsibility for the consequences of actions taken by readers who do not seek necessary advice from competent professionals, on legal or other matters that require expert advice. Rights and Permissions The material in this work is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission promptly. Portions of this publication have been extracted, with permission of the publisher, from Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical Unix and Internet Security, 3rd edition, © O'Reilly & Associates, Inc., February 2003, and Simson Garfinkel and Gene Spafford, Web Security, Privacy and Commerce, 2nd edition, © O'Reilly & Associates, Inc., January 2002. For permission to photocopy or reprint any part of this work, please send a request with complete information to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA, telephone 978-750-8400, fax 978-750-4470, www.copyright.com. All other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, World Bank, 1818 H Street NW, Washington, DC 20433, USA, fax 202-522-2422, e-mail [email protected]. Design: Studio Grafik, Herndon, VA GLOBAL INFORMATION AND COMMUNICATION TECHNOLOGIES DEPARTMENT THE WORLD BANK 1818 H STREET · NW WASHINGTON · DC 20433 USA telephone 202.458.5153 facsimile 202.522.3186 email [email protected] website infodev.org ISBN 0-9747888-0-5 INFORMATION FOR DEVELOPMENT PROGRAM A CRONYMS ICT Information and Communication Technology OECD DAC Organization for Economic Cooperation and Development's Development Assistance Committee MDGs Millennium Development Goals NGO Non–Government-Organization WSIS World Summit on the Information Society DotForce Digital Opportunity Task Force of the G8 states. G8 Major industrial democracies have been meeting annually since 1975 to deal with the major economic and political issues facing their domestic societies and the international community as a whole. These states – the G8 – contain France, USA, Germany, Japan, Italy, Great Britain, Canada and – since the Birmingham Summit in 1998 - Russia. UN ICT Task Force United Nations Information and Communication Technology Task Force PDA Personal Digital Assistant SME’s Small and Medium Enterprises HIPC Highly Indebted Poor Countries FDI Foreign Direct Investment OECD Organization for Economic Cooperation and Development DFID Department for International Development ITDG Intermediate Technologies Development Group VoIP Voice-over-Internet-Protocol Information Technology Security Handbook iii CONTENTS 1 PREFACE 125 CHAPTER 9. COMPUTER CRIME 130 CHAPTER 10. MOBILE RISK MANAGEMENT 7 EXECUTIVE SUMMARY 139 CHAPTER 11. BEST PRACTICES: BUILDING SECURITY CULTURE 144 CHAPTER 12. GENERAL RULES FOR 13 PART 1. INTRODUCTION COMPUTER USERS 14 CHAPTER 1. IT SECURITY IN THE DIGITAL AGE 150 CHAPTER 13. GLOBAL DIALOGUES ON SECURITY 29 PART 2. SECURITY FOR INDIVIDUALS 163 PART 4. INFORMATION SECURITY AND 30 CHAPTER 1. INTRODUCTION TO SECURITY GOVERNMENT POLICIES FOR INDIVIDUALS 164 CHAPTER 1. INTRODUCTION 31 CHAPTER 2. UNDERSTANDING AND 167 CHAPTER 2. PROTECTING GOVERNMENT SYSTEMS ADDRESSING SECURITY 174 CHAPTER 3. THE ROLE OF LAW AND GOVERNMENT 35 CHAPTER 3. KEEPING YOUR COMPUTER POLICY VIS A VIS THE PRIVATE SECTOR AND DATA SECURE 176 CHAPTER 4. GOVERNMENT 43 CHAPTER 4. KEEPING YOUR CYBER-SECURITY POLICIES OPERATING SYSTEM AND APPLICATION SOFTWARE SECURE 47 CHAPTER 5. MALICIOUS SOFTWARE 189 PART 5. IT SECURITY FOR 53 CHAPTER 6. SECURING SERVICES OVER NETWORKS TECHNICAL ADMINISTRATORS 63 CHAPTER 7. TOOLS TO ENHANCE SECURITY 190 CHAPTER 1. BACKGROUND 68 CHAPTER 8. PLATFORM SPECIFIC ISSUES 196 CHAPTER 2. SECURITY FOR ADMINISTRATORS 73 ADDENDUM 1. INTRODUCTION TO ENCODING 209 CHAPTER 3. PHYSICAL SECURITY AND ENCRYPTION 220 CHAPTER 4. INFORMATION SECURITY 77 ADDENDUM 2. TCP/IP 238 CHAPTER 5. IDENTIFICATION AND AUTHENTICATION 79 ADDENDUM 3. MINI-GLOSSARY OF TECHNICAL TERMS 266 CHAPTER 6. SERVER SECURITY 288 CHAPTER 7. NETWORK SECURITY 314 CHAPTER 8. ATTACKS AND DEFENSES 81 PART 3. SECURITY FOR ORGANIZATIONS 326 CHAPTER 9. DETECTING AND MANAGING A BREAK-IN 82 CHAPTER 1. INTRODUCTION 341 CHAPTER 10. SYSTEM-SPECIFIC GUIDELINES 86 CHAPTER 2. OVERVIEW OF E-SECURITY RISK MITIGATION 94 CHAPTER 3. RISK EVALUATION AND LOSS ANALYSIS 351 ANNEXES 101 CHAPTER 4. PLANNING YOUR SECURITY NEEDS 352 ANNEX 1. GLOSSARY 105 CHAPTER 5. ORGANIZATIONAL SECURITY POLICY 362 ANNEX 2. BIBLIOGRAPHY AND PREVENTION 371 ANNEX 3. ELECTRONIC RESOURCES 112 CHAPTER 6. PERSONNEL SECURITY 378 ANNEX 4. SECURITY ORGANIZATIONS 117 CHAPTER 7. SECURITY OUTSOURCING 384 ANNEX 5. PRINT RESOURCES 122 CHAPTER 8. PRIVACY POLICIES LEGISLATION, AND GOVERNMENT REGULATION Information Technology Security Handbook v FORWARD he Preparation of this book was fully funded by a grant from the infoDev Program of the World Bank Group. The topic of Information Technology (IT) security has been growing in importance in the last few years, and Twell recognized by infoDev Technical Advisory Panel. We would like to thank the State Secretariat of Economic Affairs of Switzerland (SECO) for having been instrumental not only in providing the funding for this project, but also in recognizing the urgency of the matter and allowing this book to come to fruition. We recognize the fundamental role of Informational and Communication Technologies (ICT) for social and economic development. Similarly, we recognize that there cannot be an effective use of ICT in the absence of a safe and trusted ICT environment. Thus, IT security plays a prime role in helping creating the environment needed to set the ground for implementing successful national ICT plans, e-Government or e-Commerce activities, as well as sectoral projects, such as, for example, in the areas of education, health, or finance. IT security is a complex topic and evolves almost as fast as technology does. The authors have succeeded in providing technology-independent best practices, as well as recommendations for particular IT environments. As technology evolves, the accompanying web site (www.infodev-security.net) will provide updates as appropriate, allowing for a constant dissemination of developments in the field of IT security. While the opinions and recommen- dations made in this book do not necessarily reflect the views of infoDev or The World Bank Group, we believe that the combination of the book and its supporting web site will make a valuable contribution to the understanding of IT security around the globe. The book is composed of five parts, each of which can be read independently. After an introduction to general issues of IT security, the book addresses issues relevant specifically to individuals, small and medium organizations, government, and technical administrators. Although most of the research and publications on IT security comes from developed countries, the authors have attempted to provide practical guidance applicable anywhere and to include examples from developing countries. We hope that this book and its supporting web site will provide the beginning of an interactive process, where the content and best practices will evolve overtime as technology advances, but more importantly, as readers will share their experiences and best practices with their peers. Mohsen A. Khalil Director, Global Information and Communication Technologies Department The World Bank Group Bruno Lanvin Program Manager, infoDev Program The World Bank Group Michel H. Maechler InfoDev Task Manager Senior Informatics Specialist The World Bank Group vi Walter Duss Bertrand Livinec, CISA Review Vice President, Practice Lead Sub-Saharan swiss interactive media and Francophone Africa Region Committee software association (simsa) Group Risk Management Solutions Managing Director, (GRMS) Members ASP Konsortium Switzerland PriceWaterhouseCoopers Wilen, Switzerland Paris, France Information Technology Kurt Haering Michel Maechler, CISA, CISM Security Handbook President Senior Informatics Specialist EFSI AG Global Information and Basel, Switzerland Communications Technology, Policy (Formerly President of Division Infosurance, Zürich, The World Bank Switzerland) Washington, DC, USA Thomas
Load more

Recommended publications
  • Coordinating Across Chaos: the Practice of Transnational Internet Security Collaboration
    COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION A Dissertation Presented to The Academic Faculty by Tarun Chaudhary In Partial Fulfillment of the Requirements for the Degree International Affairs, Science, and Technology in the Sam Nunn School of International Affairs Georgia Institute of Technology May 2019 COPYRIGHT © 2019 BY TARUN CHAUDHARY COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION Approved by: Dr. Adam N. Stulberg Dr. Peter K. Brecke School of International Affairs School of International Affairs Georgia Institute of Technology Georgia Institute of Technology Dr. Michael D. Salomone Dr. Milton L. Mueller School of International Affairs School of Public Policy Georgia Institute of Technology Georgia Institute of Technology Dr. Jennifer Jordan School of International Affairs Georgia Institute of Technology Date Approved: March 11, 2019 ACKNOWLEDGEMENTS I was once told that writing a dissertation is lonely experience. This is only partially true. The experience of researching and writing this work has been supported and encouraged by a small army of individuals I am forever grateful toward. My wife Jamie, who has been a truly patient soul and encouraging beyond measure while also being my intellectual sounding board always helping guide me to deeper insight. I have benefited from an abundance of truly wonderful teachers over the course of my academic life. Dr. Michael Salomone who steered me toward the world of international security studies since I was an undergraduate, I am thankful for his wisdom and the tremendous amount of support he has given me over the past two decades. The rest of my committee has been equally as encouraging and provided me with countless insights as this work has been gestating and evolving.
    [Show full text]
  • Design Principles and Patterns for Computer Systems That Are
    Bibliography [AB04] Tom Anderson and David Brady. Principle of least astonishment. Ore- gon Pattern Repository, November 15 2004. http://c2.com/cgi/wiki? PrincipleOfLeastAstonishment. [Acc05] Access Data. Forensic toolkit—overview, 2005. http://www.accessdata. com/Product04_Overview.htm?ProductNum=04. [Adv87] Display ad 57, February 8 1987. [Age05] US Environmental Protection Agency. Wastes: The hazardous waste mani- fest system, 2005. http://www.epa.gov/epaoswer/hazwaste/gener/ manifest/. [AHR05a] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AHR05b] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Separable Identity- Based Ring Signatures: Theoretical Foundations For Fighting Phishing Attacks (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AIS77] Christopher Alexander, Sara Ishikawa, and Murray Silverstein. A Pattern Lan- guage: towns, buildings, construction. Oxford University Press, 1977. (with Max Jacobson, Ingrid Fiksdahl-King and Shlomo Angel). [AKM+93] H. Alvestrand, S. Kille, R. Miles, M. Rose, and S. Thompson. RFC 1495: Map- ping between X.400 and RFC-822 message bodies, August 1993. Obsoleted by RFC2156 [Kil98]. Obsoletes RFC987, RFC1026, RFC1138, RFC1148, RFC1327 [Kil86, Kil87, Kil89, Kil90, HK92]. Status: PROPOSED STANDARD. [Ale79] Christopher Alexander. The Timeless Way of Building. Oxford University Press, 1979. 429 430 BIBLIOGRAPHY [Ale96] Christopher Alexander. Patterns in architecture [videorecording], October 8 1996. Recorded at OOPSLA 1996, San Jose, California. [Alt00] Steven Alter. Same words, different meanings: are basic IS/IT concepts our self-imposed Tower of Babel? Commun. AIS, 3(3es):2, 2000.
    [Show full text]
  • Purdue's Computer Science Department
    A Tribute to Those No Longer With Us Frank Friedman Ruth Hart Robin Lea Pyle Saul Rosen “Maryland’s Gain is the Country’s Loss” Winnie Rosen – on the occasion of the selection/election of Spiro T Agnew as the Vice President of the United States Saul Rosen 1922–1991 Early Career – The Formative Years Born in Port Chester, NY on February 8, 1922. Graduated from the City College of New York in 1941 with a BS in mathematics Attended the University of Pennsylvania PhD in mathematics in 1950 Instructor of mathematics at Delaware (1946-47) Lecturer at UCLA (1948-49) Assistant professor at Drexel (1949-51) Assistant professor at the Penn (1952-54) Associate professor in the Computational Laboratory at Wayne State (1954-56). In the Private Sector Associate research engineer with Burroughs Corporation (1951-52) Manager, Burroughs Electrodata Division's Eastern Applied Mathematics Section (1956-58) Manager of Computer Programming and Services (1958-60) Computer and programming systems consultant (1960-62) at Philco Corporation Chief software designer for world's first transistorized computer, Philco TRANSAC S-2000 Saul Rosen – Back to Academics In 1962, Rosen joined Samuel Conte as one of the charter faculty members in Purdue's Computer Science Department Professor mathematics and CS (1962-66 and 1967-91) Professor of engineering and Associate Director of Computing at the State University of New York at Stony Brook (1966-67) From 1968-1987, Director of Purdue's Computing Center Took Purdue to the forefront of high-performance computing at U. S. universities Purdue acquired large, high-performance computing systems in the mid-1960s and was one of only three universities operating supercomputers during the 1970s and into the mid-1980s In 1947, Rosen became active in the (ACM) Served on the languages committee that eventually led to the ALGOL programming language Then served as first managing editor of the CACM Wrote extensively on practical systems programming.
    [Show full text]
  • Jonathan Zittrain's “The Future of the Internet: and How to Stop
    The Future of the Internet and How to Stop It The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Jonathan L. Zittrain, The Future of the Internet -- And How to Stop It (Yale University Press & Penguin UK 2008). Published Version http://futureoftheinternet.org/ Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:4455262 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA YD8852.i-x 1/20/09 1:59 PM Page i The Future of the Internet— And How to Stop It YD8852.i-x 1/20/09 1:59 PM Page ii YD8852.i-x 1/20/09 1:59 PM Page iii The Future of the Internet And How to Stop It Jonathan Zittrain With a New Foreword by Lawrence Lessig and a New Preface by the Author Yale University Press New Haven & London YD8852.i-x 1/20/09 1:59 PM Page iv A Caravan book. For more information, visit www.caravanbooks.org. The cover was designed by Ivo van der Ent, based on his winning entry of an open competition at www.worth1000.com. Copyright © 2008 by Jonathan Zittrain. All rights reserved. Preface to the Paperback Edition copyright © Jonathan Zittrain 2008. Subject to the exception immediately following, this book may not be reproduced, in whole or in part, including illustrations, in any form (beyond that copying permitted by Sections 107 and 108 of the U.S.
    [Show full text]
  • Whatever Happened to Formal Methods for Security?
    Whatever Happened to Formal Methods for Security? (IEEE Computer Magazine, August 2016 publication on Supply Chain Security, regular paper in the Perspectives section) J. Voas and K. Schaffer We asked 7 experts 7 questions to find out what has occurred recently in terms of applying formal methods (FM) to security-centric, cyber problems. We are continually reminded of the 1996 paper by Tony Hoare “How did Software Get So Reliable Without Proof?” [1] In that vein, how did we get so insecure with proof? Given daily press announcements concerning new malware, data breaches, and privacy loss, is FM still relevant or was it ever? Our experts answered with unique personal insights. We were curious as to whether this successful methodology in “safety-critical” has succeeded as well for today’s “build it, hack it, patch it” mindset. Our experts were John McLean (Naval Research Labs), Paul Black (National Institute of Standards and Technology), Karl Levitt (University of California at Davis), Joseph Williams (CloudEconomist.Com), Connie Heitmeyer (Naval Research Labs), Eugene Spafford (Purdue University), and Joseph Kiniry (Galois, Inc.). The questions and responses follow. 1) Most are aware that FM has been highly successful in safety-critical systems over the past decades. Much of that success stems from those systems being deployed in regulated industries. If you agree with this claim, it begs two questions: (1) Is FM as well suited to security concerns, and (2) if assurance is more compliance and self-governance Joseph Williams Formal methods have been successfully applied to safety-critical systems. One reason is the overwhelming evidence that formal methods do result in safer systems.
    [Show full text]
  • Developing a Normative Framework for Cyberwarfare
    Developing a Normative Framework for Cyberwarfare October 17-18, 2016 United States Naval Academy Annapolis, Maryland Table of Contents: Purpose 3 Acknowledgments 3 Schedule 4 Presentation Abstracts 6 Presenter Biosketches 11 Grant Team Biosketches 15 Registration 17 Venue 17 Banquet 17 Hotel 17 Travel 17 Maps 18 Contacts 21 Notes 22 2 Purpose: Welcome to our workshop on the social, ethical, and legal implications on cyberwarfare. As this is quickly-evolving terrain, we hope to reflect the current state of play, as well as to sketch the short- and mid-term future. In these endeavors, we will be aided by a diverse and distinguished group of invited presenters. These presenters have been carefully selected from academia, industry, and government, and bring with them a wealth of expertise and experience. Unlike many academic workshops, this one is meant to be discussion intensive. Toward that end, presenters have been asked to keep their briefings to approximately fifteen minutes, leaving the rest of the sessions for interaction. To foster these interactions, we will operate under The Chatham House Rule: participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed without their expressed consent. Acknowledgments: The conference is organized by Dr. Fritz Allhoff (Western Michigan University/Stanford Law School), Dr. Patrick Lin (California Polytechnic State University), and Dr. Ryan Jenkins (California Polytechnic State University). It is supported by funding from the U.S. National Science Foundation (NSF), under awards #1318126, #1317798, #1318270. In addition to the NSF, we are grateful for institutional support from the following: California Polytechnic State University, Case Western Reserve University’s Inamori International Center for Ethics and Excellence, Naval Postgraduate School, United States Naval Academy’s Stockdale Center for Ethical Leadership, and Western Michigan University.
    [Show full text]
  • Cyber Security in the Three Times: Past, Present & Future
    Carnegie Mellon CyLab 4720 FORBES AVENUE CIC BUILDING PITTSBURGH, PA 15213 PH: 412.268.1870 FX: 412.268.7675 www.cylab.cmu.edu Cyber Security in the Three Times: Past, Present & Future CERT 20th Anniversary Seminar Series Pittsburgh, Pennsylvania, 7/22/08 Cyber Security in the Three Times Agenda • Speaker’s Bio • CyLab’s Mission • Global Economy & Cyberspace • Glimpses Into the 21st Century Threat Matrix • Cyber Risks Timeline • Elements of A Holistic Program • Ruminations & Conclusions Richard Power, Carnegie Mellon CyLab 2008 2 Harnessing the Future to Secure the Present Richard Power • CyLab Distinguished Fellow • Director of Global Security Intelligence for Deloitte Touche Tohmatsu (2002-2005) • Editorial Director for Computer Security Institute (1994-2002) • Author of Five Books, Including – Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic Espionage in the 21st Century, (w/ Christopher Burgess) – Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace • Author of War & Peace in Cyberspace, monthly column for Computer Fraud and Security Journal (w/ Dario Forte) Richard Power, Carnegie Mellon CyLab 2008 3 CyLab’s Mission CyLab is … • A bold and visionary effort, which establishes public-private partnerships to develop new technologies for measurable, available, secure, trustworthy, and sustainable computing and communications systems as well as to educate individuals at all levels. • A dynamic matrix, in which great works are accomplished, great minds come together, and great careers are launched. • A vital resource for government and business to draw on in addressing cyber risks that threaten national and economic security. • A world leader in both technological research and the education of information assurance professionals, CyLab harnesses the future to secure the present.
    [Show full text]
  • An Interview With
    An Interview with REBECCA G. BACE OH 410 Conducted by Jeffrey R. Yost on 31 July 2012 Computer Security History Project University of Maryland, Baltimore Charles Babbage Institute Center for the History of Information Technology University of Minnesota, Minneapolis Copyright, Charles Babbage Institute Rebecca G. Bace Interview 31 July 2012 Oral History 410 Abstract Rebecca Bace, who has a Master of Engineering Science degree from Loyola College, is a leading figure in the computer security field of intrusion detection. She is the author the influential textbook on this topic, Intrusion Detection, and was leader of the pioneering Computer Misuse and Anomaly Detection (CMAD) Research Program at the National Security Agency from 1989 to 1995. In this capacity, she sponsored much of the first wave of path breaking academic research on intrusion detection. This interview briefly addresses Ms. Bace’s education and early professional life before focusing on her dozen years at the NSA, and specifically her leadership of CMAD. In detailing the portfolio of early CMAD sponsored projects that Bace supported, it provides an important lens into the early evolution of intrusion detection as a research field and area of practice, and identifies many of this field’s pioneering contributors. The interview also briefly touches on Bace’s work after leaving the NSA, including at Los Alamos National Laboratory and as President of the consulting firm Infidel, Inc. This material is based upon work supported by the National Science Foundation under Grant No. 1116862, “Building an Infrastructure for Computer Security History.” 2 Yost: My name is Jeffrey Yost from the Charles Babbage Institute of the University of Minnesota, and I’m here today with Rebecca Bace at the University of Maryland Baltimore County Campus at the Tech Incubator.
    [Show full text]
  • CEG 429/629: Internet Security
    Wright State University CORE Scholar Computer Science & Engineering Syllabi College of Engineering & Computer Science Fall 2004 CEG 429/629: Internet Security Prabhaker Mateti Wright State University - Main Campus, [email protected] Follow this and additional works at: https://corescholar.libraries.wright.edu/cecs_syllabi Part of the Computer Engineering Commons, and the Computer Sciences Commons Repository Citation Mateti, P. (2004). CEG 429/629: Internet Security. https://corescholar.libraries.wright.edu/cecs_syllabi/5 This Syllabus is brought to you for free and open access by the College of Engineering & Computer Science at CORE Scholar. It has been accepted for inclusion in Computer Science & Engineering Syllabi by an authorized administrator of CORE Scholar. For more information, please contact [email protected]. -~·-- ·~·-··--~·~··--· Internet Securty Course Syllabus by Mateti Page 1 of4 f-cY-1 t CEG 429/629: Internet Security vVRIGHT STATE UN'JV ERSJTY Instructor: Dr Prabhaker Mateti ~e of Engineering & CS }Yrighl State University Dayton, Ohio 45435-0001 Catalog Description: CEG 429 Internet Security Introduction to security issues arising primarily from computer networks. Topics include node and service authentication, address spoofing, hijacking, SYN floods, smurfing, sniffing, routing tricks, and privacy of data en route. Buffer overruns and other exploitation of software development errors. Hardening ofoperating systems. Intrusion detection. Firewalls. Ethics. Prerequisites: CEG 402 Source J\<faterial Home Page Please visit the home page for announcements, and info on notes. There is no required text book this term. Simson Garfinkel, Gene Spafford Practical Unix and Internet Security, 3rd edition (2003), O'Reilly & Associates; ISBN: 0596003234. A recommended text book. Errata Previous Editions: http://":Jyww.oreilly.com/catalogLpuis/errat~ William Stallings Network Security Essentials: Applications and Standards, 1st edition (April 15, 2000), Prentice Hall; ISBN: 0130160938.
    [Show full text]
  • Are Computer Hacker Break-Ins Ethical?£
    Are Computer Hacker Break-ins Ethical?£ Eugene H. Spafford Department of Computer Sciences Purdue University West Lafayette, IN 47907–1398 [email protected] Abstract Recent incidents of unauthorized computer intrusion have brought about discussion of the ethics of breaking into computers. Some individuals have argued that as long as no significant damage results, break-ins may serve a useful purpose. Others counter with the expression that the break-ins are almost always harmful and wrong. This article lists and refutes many of the reasons given to justify computer intrusions. It is the author’s contention that break-ins are ethical only in extreme situations, such as a life- critical emergency. The article also discusses why no break-in is “harmless.” 1 Introduction On November 2, 1988, a program was run on the Internet that replicated itself on thousands of machines, often loading them to the point where they were unable to process normal requests. [1, 2, 3] This Internet Worm program was stopped in a matter of hours, but the controversy engendered by its release raged for years. Other recent incidents, such as the “wily hackers”1 tracked by Cliff Stoll [4], the “Legion of Doom” members who are alleged to have stolen telephone company 911 software [5], and the growth of the computer virus problem [6, 7, 8, 9] have added to the discussion. What constitutes improper access to computers? Are some break-ins ethical? Is there such a thing as a “moral hacker”?[10] It is important that we discuss these issues. The continuing evolution of our technological base and our increasing reliance on computers for critical tasks suggests that future incidents may well £ Copyright ­c 1991, 1997 by Eugene H.
    [Show full text]
  • 2003-2004 Faculty Information
    Department of Computer Science 2003-04 Annual Report Message For Purdue Computer Science, 2003-04 was a year of special milestones! from the On October 1, 2003, the department celebrated the end of its successful Capital Campaign for a new facility. Almost exactly a year later, on Monday, October 4, 2004, we broke ground. A few weeks later, on October 16, the building was named for our lead donors Richard and Patricia (Pat) Lawson in a special Homecoming Celebration. We invite you to monitor the building progress by viewing our live webcam at http://buildingcam.cs.purdue.edu/popup.html. The Head building is to be completed in time for the fall 2006 semester. Collaboration with internal and external partners has always been a hallmark of our department. In this spirit, the Computer Science Department plays an active role in the School of Science COALESCE initiative (see http://www.science.purdue.edu/COALESCE for more information). COALESCE is part of a Purdue-wide initiative to target compelling national research priorities that require insights and contributions from multiple disciplines.Solving societal problems through multi-disciplinary research is quickly becoming an integral component of progressive science programs, and we are proud to be one of the pioneers in changing the shape of science. Multi-disciplinary research and hiring was the focus of the first Departmental Advisory Board meeting held in March 2004. The mission of this newly created board includes actively advising the department in achieving the departmen- tal vision as defined in the strategic plan. Last year’s board members were: Jeanne Ferrante (UC San Diego), Gene Golub (Stanford), Clinton Kelly (SAIC), Kevin Kahn (Intel), and Robert Tarjan (Princeton and HP).
    [Show full text]
  • Tripwire® Intrusion Detection System 1.3 for LINUX® User Manual July 27Th, 1998 COPYRIGHT NOTICE
    Tripwire® Intrusion Detection System 1.3 for LINUX® User Manual July 27th, 1998 COPYRIGHT NOTICE All files in this distribution of Tripwire® are Copyright 1992-1998 by the Purdue Research Foundation of Purdue University and are distributed by Tripwire® Security Systems, Inc. under exclusive license arrangements. All rights reserved. Some individual files in this distribution may be covered by other copyrights, as noted in their embedded comments. This release is for single CPU, single-site, end-use purposes. Duplication is only allowed for the purposed of backup. Any other use of this software requires the prior written consent of Tripwire Security Systems, Inc. If this software is to be used on a Web site, the "Tripwire Protected" logo can be used on the site home page along with appropriate copyright and trademark information. Neither the name of the University nor the names of the authors may be used to endorse or promote products derived from this material without specific prior written permission. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE. Tripwire® Security Systems, Inc. 615 SW Broadway, Second Floor Portland, OR 97205, USA tel: 503.223.0280 fax: 503.223.0182 (www.tripwiresecurity.com) 2 Quick Start QUICK START If you have used an earlier version of Tripwire, or if you are a new user, we suggest that you follow the steps below to properly configure, install, and use Tripwire: 1) Read the “INSTALLING TRIPWIRE IDS 1.3 for Linux” section.
    [Show full text]