The New State-of-the-Art in Information Security: Now Covers the Economics of Cyber Security and the Intersection of Privacy and Information SecurityFor years, IT and security professionals and students have turned to Security in Computing as the definitive guide to information about computer security attacks and countermeasures. In their new fourth edition, Charles P. Pfleeger and Shari Lawrence Pfleeger have thoroughly updated their classic guide to reflect today's newest technologies, standards, and trends.The authors first introduce the core concepts and vocabulary of computer security, including attacks and controls. Next, the authors systematically identify and assess threats now facing programs, operating systems, database systems, and networks. For each threat, they offer best-practice responses.Security in Computing, Fourth Edition, goes beyond technology, covering crucial management issues faced in protecting infrastructure and information. This edition contains an all-new chapter on the economics of cybersecurity, explaining ways to make a business case for security investments. Another new chapter addresses privacy--from data mining and identity theft, to RFID and e-voting.New coverage also includes Programming mistakes that compromise security: man-in-the-middle, timing, and privilege escalation attacks Web application threats and vulnerabilities Networks of compromised systems: bots, botnets, and drones Rootkits--including the notorious Sony XCP Wi-Fi network security challenges, standards, and techniques New malicious code attacks, including false interfaces and keystroke loggers Improving code quality: software engineering, testing, and liability approaches Biometric authentication: capabilities and limitations Using the Advanced Encryption System (AES) more effectively Balancing dissemination with piracy control in music and other digital content Countering new cryptanalytic attacks against RSA, DES, and SHA Responding to the emergence of organized attacker groups pursuing profit
Cited By
Moeckel C Examining and Constructing Attacker Categorisations Proceedings of the 14th International Conference on Availability, Reliability and Security, (1-6)- Basak A, Bhunia S, Tkacik T and Ray S (2017). Security Assurance for System-on-Chip Designs With Untrusted IPs, IEEE Transactions on Information Forensics and Security, 12:7, (1515-1528), Online publication date: 1-Jul-2017.
- Yaseen Q, Jararweh Y, Panda B and Althebyan Q (2017). An insider threat aware access control for cloud relational databases, Cluster Computing, 20:3, (2669-2685), Online publication date: 1-Sep-2017.
- Mohammed N, Niazi M, Alshayeb M and Mahmood S (2017). Exploring software security approaches in software development lifecycle, Computer Standards & Interfaces, 50:C, (107-115), Online publication date: 1-Feb-2017.
- Giboney J, Proudfoot J, Goel S and Valacich J (2016). The Security Expertise Assessment Measure (SEAM), Computers and Security, 60:C, (37-51), Online publication date: 1-Jul-2016.
- Humayed A and Luo B Cyber-physical security for smart cars Proceedings of the ACM/IEEE Sixth International Conference on Cyber-Physical Systems, (252-253)
- Hausawi Y and Allen W Usable-Security Evaluation Proceedings of the Third International Conference on Human Aspects of Information Security, Privacy, and Trust - Volume 9190, (335-346)
- Pereira T and Santos H Insider Threats Proceedings of the Third International Conference on Human Aspects of Information Security, Privacy, and Trust - Volume 9190, (654-663)
- Lutz C and Tamò A RoboCode-Ethicists Proceedings of the ACM Web Science Conference, (1-12)
- Wu P (2015). Teaching the RSA algorithm with a hands-on C++ coding project, Journal of Computing Sciences in Colleges, 30:4, (57-64), Online publication date: 1-Apr-2015.
- Hausawi Y and Allen W Usablity and security trade-off Proceedings of the 2014 ACM Southeast Regional Conference, (1-6)
- Han G, Zeng H, Li Y and Dou W SAFE Proceedings of the conference on Design, Automation & Test in Europe, (1-4)
- Hausawi Y and Allen W An Assessment Framework for Usable-Security Based on Decision Science Proceedings of the Second International Conference on Human Aspects of Information Security, Privacy, and Trust - Volume 8533, (33-44)
- Myers J (2014). The cheat sheet as pedagogical tool, Journal of Computing Sciences in Colleges, 30:2, (44-51), Online publication date: 1-Dec-2014.
- Hallgren P, Mauritzson D and Sabelfeld A GlassTube Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security, (71-82)
- Liver B and Kaufmann H Integrity in very large information systems Proceedings of the 25th international conference on Advanced Information Systems Engineering, (641-656)
- Mayron L, Hausawi Y and Bahr G Secure, usable biometric authentication systems Proceedings of the 7th international conference on Universal Access in Human-Computer Interaction: design methods, tools, and interaction techniques for eInclusion - Volume Part I, (195-204)
- Zhang G, Yang Y, Liu X and Chen J A Time-Series Pattern Based Noise Generation Strategy for Privacy Protection in Cloud Computing Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012), (458-465)
- Yakovets N, Gryz J, Hazlewood S and van Run P From MDM to DB2 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy, (207-222)
- Liao L, Chen M, Rodrigues J, Lai X and Vuong S (2012). A Novel Web-enabled Healthcare Solution on HealthVault System, Journal of Medical Systems, 36:3, (1095-1105), Online publication date: 1-Jun-2012.
- Cavalcante R, Bittencourt I, da Silva A, Silva M, Costa E and Santos R (2012). A survey of security in multi-agent systems, Expert Systems with Applications: An International Journal, 39:5, (4835-4846), Online publication date: 1-Apr-2012.
- Costa M A solace in quantum Proceedings of the 2011 conference on Information technology education, (263-268)
- Fuchs L, Pernul G and Sandhu R (2011). Roles in information security - A survey and classification of the research area, Computers and Security, 30:8, (748-769), Online publication date: 1-Nov-2011.
- Seale R and Hargiss K (2011). A Proposed Architecture for Autonomous Mobile Agent Intrusion Prevention and Malware Defense in Heterogeneous Networks, International Journal of Strategic Information Technology and Applications, 2:4, (44-54), Online publication date: 1-Oct-2011.
- Bahr G, Mayron L and Gacey H Cyber risks to secure and private universal access Proceedings of the 6th international conference on Universal access in human-computer interaction: design for all and eInclusion - Volume Part I, (433-442)
- Asnar Y and Massacci F A method for security governance, risk, and compliance (GRC) Foundations of security analysis and design VI, (152-184)
- Lilien L, Al-Alawneh A and Ben Othmane L The pervasive trust foundation for security in next generation networks Proceedings of the 2010 New Security Paradigms Workshop, (129-142)
- Edge C and Stamey J Security education on a budget 2010 Information Security Curriculum Development Conference, (29-35)
- Ling M and Hassan W Harnessing ANN for a secure environment Proceedings of the 7th international conference on Advances in Neural Networks - Volume Part II, (540-547)
- Gordon D (2010). Forty years of movie hacking: considering the potential implications of the popular media representation of computer hackers from 1968 to 2008, International Journal of Internet Technology and Secured Transactions, 2:1/2, (59-87), Online publication date: 1-Feb-2010.
- Granzer W and Kastner W Security analysis of open building automation systems Proceedings of the 29th international conference on Computer safety, reliability, and security, (303-316)
- Birgisson A, Russo A and Sabelfeld A Unifying facets of information integrity Proceedings of the 6th international conference on Information systems security, (48-65)
- Onwubiko C and Lenaghan A (2009). Challenges and complexities of managing information security, International Journal of Electronic Security and Digital Forensics, 2:3, (306-321), Online publication date: 1-Jul-2009.
- Dlamini M, Eloff J and Eloff M (2009). Information security, Computers and Security, 28:3-4, (189-198), Online publication date: 1-May-2009.
- Schaefer R (2009). The epistemology of computer security, ACM SIGSOFT Software Engineering Notes, 34:6, (8-10), Online publication date: 3-Dec-2009.
- Said H, Guimaraes M, Maamar Z and Jololian L Database and database application security Proceedings of the 14th annual ACM SIGCSE conference on Innovation and technology in computer science education, (90-93)
- Said H, Guimaraes M, Maamar Z and Jololian L (2009). Database and database application security, ACM SIGCSE Bulletin, 41:3, (90-93), Online publication date: 25-Aug-2009.
- Loo A (2008). The myths and truths of wireless security, Communications of the ACM, 51:2, (66-71), Online publication date: 1-Feb-2008.
- Li H, Huang J, Sweany P and Huang D (2008). FPGA implementations of elliptic curve cryptography and Tate pairing over a binary field, Journal of Systems Architecture: the EUROMICRO Journal, 54:12, (1077-1088), Online publication date: 1-Dec-2008.
- Myers J and Riela S (2008). Taming the diversity of information assurance & security, Journal of Computing Sciences in Colleges, 23:4, (173-179), Online publication date: 1-Apr-2008.
- Duffany J Optimal resource allocation for securing an enterprise information infrastructure Proceedings of the 4th international IFIP/ACM Latin American conference on Networking, (35-42)
- Fernandez E, Sorgente T and Larrondo-Petrie M Even more patterns for secure operating systems Proceedings of the 2006 conference on Pattern languages of programs, (1-9)
- Tsai W, Liu X, Chen Y and Paul R Simulation Verification and Validation by Dynamic Policy Enforcement Proceedings of the 38th annual Symposium on Simulation, (91-98)
- Ho Y, Pepyne D, Zhao Q, Liu H, Yu Q and Dukes B (2004). ProgramID, Discrete Event Dynamic Systems, 14:4, (381-393), Online publication date: 1-Oct-2004.
Index Terms
- Security in Computing (4th Edition)
Recommendations
Reviews
Diomidis Spinellis
D.E.R. Denning's classic book [1] is 400 pages long. If a field's importance can be judged by the size of its textbooks, then security is certainly in the spotlight. At 845 pages, Charles and Shari Pfleeger's book will require me to rearrange my bookshelf of security books to make space for it. Yet, I would be hard-pressed to find material in it that could be removed. When the Pfleegers can choose between elaborating and outlining a topic, they will typically elaborate, adding examples, diagrams, and sidebars to illustrate its significance. Security experts may find this level of detail tiresome, but I'm sure that students and unversed professionals will appreciate it when trying to grapple with the hundreds of security concepts discussed in the book. The book's organization is eminently practical. After two chapters covering the problem of security in computing and the basics of cryptography, the next chapters of the book address security in specific fields: program code, general-purpose operating systems, trusted systems, databases, and networks. The relevant theory is covered close to the point where it is introduced. Although a separate discussion of security's terms and theoretical underpinnings may be more elegant, I've seen that students find such an approach tiring, if not sleep-inducing. The next four chapters are less technical, dealing with security administration, the economics of cybersecurity, privacy in computing, and legal and ethical issues. A final chapter, "Cryptography Explained," contains the nitty-gritty details of cryptographic algorithms that mercifully weren't covered in the book's second chapter. A further 32 pages of bibliographic references and a 29-page index complete the offering. All chapters end with a summary, an index of terms and concepts, a discussion of where the particular field is headed, references for further reading, and plentiful exercises. The exposition is aided by numerous clear diagrams, sidebars, and many examples. Some of the examples are oversimplified: for instance, in modern systems, a buffer overflow in a user's data area can't overwrite system data or program code, as shown on page 105. Nevertheless, a simplified example is better than an inscrutable one: readers wishing for an in-depth treatment of a particular topic can seek that in more specialized sources. This book's fourth edition adds new material to many of the previous edition's chapters, such as those on networking, operating system attacks and controls, and data mining. More significantly, the book also includes two new chapters, one on the economics of cybersecurity and one on privacy. Both are hot topics that merit the treatment they receive in the book. In summary, this is a valuable textbook, bringing a large, diverse field under one comfortable and spacious roof. Online Computing Reviews Service
Naga R Narayanaswamy
This book is to the field of computer security what Tanenbaum’s book [1] is to computer networks. It presents many aspects of computer security, such as threats, system vulnerabilities, cryptography, program code security, administration of computer systems, laws, privacy issues, and ethics. More than half of the book involves security in applications, operating systems, database management systems, and networks. Security is more important now than ever, as almost all parts of our daily lives are digitized. A few years ago, Microsoft mentioned that it intended to shift its focus from features to security and privacy. It made all of its developers attend a security training program. The crusade to make everything secure must start at the grassroots level of software development. In spite of all these efforts, problems continue to persist. With this in mind, this book is ideal for students and professionals alike. The book is up to date as of late 2006. It is updated to reflect changing times; the new edition includes topics such as wireless, biometrics authentication capabilities, and better software processes and approaches. The book is well organized. There is a bulleted summary at the beginning of each chapter with new terms placed in bold print. Each chapter also includes exercise questions; for example, “List three reasons why people might be reluctant to use biometrics for authentication and how to counter those objections.” There is a mini-index in each chapter as well. Terms and concepts are introduced in the first chapter. Cryptography and mathematical details are presented in two chapters. A lot of emphasis is placed on program security issues like buffer overflow, viruses, and rootkits. Since a computing system has several layers—its operating system, databases, networks, and storage—a weakness in the chain represents a system vulnerability. So, for example, the authors have described in one chapter how to design a trusted operating system. They have tried to avoid specific implementations or platforms. The chapter on network security is the book’s longest, and I was disappointed that Internet protocol security (IPSec) and secure sockets layer (SSL) have only two pages devoted to them. I am not a fan of including Web site addresses in a book, and I found a Web site referred to in chapter 7 to be nonexistent. Policies, ethics, and many nontechnical aspects of security are presented in concluding chapters. Some of the future trends like electronic voting are described briefly. Overall, the book is a definite reference source for various people who are interested in understanding security issues. Though the book addresses computers in general, the principles can be applied to mobile phones, smartphones, personal digital assistants (PDAs), and many other gadgets we use in our daily lives. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.