Computer Security Principles and Practice
Fifth Edition
William Stallings
Lawrie Brown
UNSW Canberra at the Australian Defence Force Academy
Content Management: Tracy Johnson
Content Production: Dr Rajul Jain
Product Management: Tracy Johnson
Product Marketing: Krista Clark and Wayne Stevens
Rights and Permissions: Chandan Kumar
Please contact https://support.pearson.com/getsupport/s/ with any queries on this content.
Cover Image by ra2studio/123RF.
Microsoft and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published as part of the services for any purpose. All such documents and related graphics are provided “as is” without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from the services.
The documents and related graphics contained herein could include technical inaccuracies or typographical errors.
Changes are periodically added to the information herein. Microsoft and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time. Partial screen shots may be viewed in full within the software version specified.
Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries. This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation.
Copyright © 2024, 2018, 2015 by Pearson Education, Inc. or its affiliates, 221 River Street, Hoboken, NJ 07030. All Rights Reserved. Manufactured in the United States of America. This publication is protected by copyright, and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights and Permissions department, please visit www.pearsoned.com/permissions/.
Acknowledgments of third-party content appear on the appropriate page within the text.
PEARSON is an exclusive trademark owned by Pearson Education, Inc. or its affiliates in the U.S. and/or other countries.
Unless otherwise indicated herein, any third-party trademarks, logos, or icons that may appear in this work are the property of their respective owners, and any references to third-party trademarks, logos, icons, or other trade dress are for demonstrative or descriptive purposes only. Such references are not intended to imply any sponsorship, endorsement, authorization, or promotion of Pearson’s products by the owners of such marks, or any relationship between the owner and Pearson Education, Inc., or its affiliates, authors, licensees, or distributors.
Library of Congress Cataloging-in-Publication Data
Names: Stallings, William, author. | Brown, Lawrie, author.
Title: Computer security : principles and practice / William Stallings, Lawrie Brown, UNSW Canberra at the Australian Defence Force Academy.
Description: Fifth edition. | Hoboken, NJ : Pearson Education, Inc., [2024] | Includes bibliographical references and index.
Identifiers: LCCN 2023000040 | ISBN 9780138091675 (hardcover) | ISBN 0138091676 (hardcover)
Subjects: LCSH: Computer security. | Computer networks— Security measures.
Classification: LCC QA76.9.A25 S685 2024 | DDC 005.8 dc23/eng/20230109
LC record available at https://lccn.loc.gov/2023000040
ISBN-10: 0-13-809167-6
ISBN-13: 978-0-13-809167-5 Scout Automated Print Code
Pearson’s Commitment to Diversity, Equity, and Inclusion
Pearson is dedicated to creating bias-free content that reflects the diversity, depth, and breadth of all learners’ lived experiences.
We embrace the many dimensions of diversity, including but not limited to race, ethnicity, gender, sex, sexual orientation, socioeconomic status, ability, age, and religious or political beliefs.
Education is a powerful force for equity and change in our world. It has the potential to deliver opportunities that improve lives and enable economic mobility. As we work with authors to create content for every product and service, we acknowledge our responsibility to demonstrate inclusivity and incorporate diverse scholarship so that everyone can achieve their potential through learning. As the world’s leading learning company, we have a duty to help drive change and live up to our purpose to help more people create a better life for themselves and to create a better world.
Our ambition is to purposefully contribute to a world where:
• Everyone has an equitable and lifelong opportunity to succeed through learning.
• Our educational content accurately reflects the histories and lived experiences of the learners we serve.
• Our educational products and services are inclusive and represent the rich diversity of learners.
• Our educational content prompts deeper discussions with students and motivates them to expand their own learning (and worldview).
Accessibility
We are also committed to providing products that are fully accessible to all learners. As per Pearson’s guidelines for accessible educational Web media, we test and retest the capabilities of our products against the highest standards for every release, following the WCAG guidelines in developing new products for copyright year 2022 and beyond.
You can learn more about Pearson’s commitment to accessibility at https://www.pearson.com/us/accessibility.html
Contact Us
While we work hard to present unbiased, fully accessible content, we want to hear from you about any concerns or needs with this Pearson product so that we can investigate and address them.
Please contact us with concerns about any potential bias at https://www.pearson.com/report-bias.html
For accessibility-related issues, such as using assistive technology with Pearson products, alternative text requests, or accessibility documentation, email the Pearson Disability Support team at disability.support@pearson.com
Preface
What’s New in the Fifth Edition
Since the fourth edition of this book was published, the field has seen continued innovations and improvements. In this new edition, we try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. There have been a number of refinements to improve pedagogy and user-friendliness, updated references, and mention of recent security incidents, along with a number of more substantive changes throughout the book. The most noteworthy of these changes include:
• Multi-factor authentication and mobile authentication: Chapter 3 includes a new discussion on multi-factor authentication (MFA) in which the user presents two or more pieces of evidence (or factors) to verify their identity. This is increasingly used to address the known problems with just using a password for authentication. This is commonly done using either a hardware authentication token, or using SMS text messages or an authentication app on mobile devices, as we discuss.
• Mandatory access control (MAC): Chapter 4 includes some revised discussion on mandatory access controls that was previously included in the online Chapter 27. These controls are now included as part of the underlying security enhancements in recent releases of some Linux, macOS, and Windows systems.
• Social engineering and ransomware attacks: The discussion in Chapters 6 and 8 on social engineering, and its use in enabling ransomware attacks have been updated, reflecting the growing incidence of such attacks, and the need to defend against them. These defenses include improved security awareness training, as we discuss in Chapter 17.
• Supply-chain and business email compromise attacks: Chapter 8 includes new discussion on the growth of supply-chain and business email compromise (BEC) attacks, including the recent SolarWinds attack, which have been used to compromise many commercial and government organizations in recent years.
• Updated list of the most dangerous software errors: Chapter 11 includes an updated list of the Top 25 Most Dangerous Software Errors. It also discusses the recent widely exploited code injection attack on the Apache Log4j package.
• Updated list of essential controls: Chapter 12 includes updated lists of essential controls, including the Australian Signals Directorate’s “Essential Eight” that should be used by all organizations to improve the security of their operating systems.
• Trusted computer systems: Chapter 12 includes some revised discussion on trusted computer systems that was previously included in the online Chapter 27, which is relevant to the use of secure systems in some government organizations.
• Updated list of security controls: Chapter 15 includes a significantly updated list of the NIST security controls that should be considered when addressing identified security risks in organizations.
• Security awareness and training: Chapter 17 includes a significantly revised section on security awareness and training for personnel, which is of increasing importance given the rise in security incidents that result from deliberate or accidental personnel actions.
• European Union (EU) General Data Protection Regulation (GDPR): Chapter 19 includes a new section on the EU’s 2016 GDPR that is effectively the global standard for the protection of personal data, its collection, access, and use.
• The ChaCha20 stream cipher: Chapter 20 includes a new section with details of the ChaCha20 stream cipher, replacing details of the now depreciated RC4 cipher.
• Galois Counter Mode: Appendix E now includes details of the new Galois Counter authenticated encryption mode of use for block ciphers.
Background
Interest in education in computer security and related topics has been growing at a dramatic rate in recent years. This interest has been spurred by a number of factors, two of which stand out:
1. As information systems, databases, and Internet-based distributed systems and communication have become pervasive in the commercial world, coupled with the increased intensity and sophistication of security-related attacks, organizations now recognize the need for a comprehensive security strategy. This strategy encompasses the use of specialized hardware and software and trained personnel to meet that need.
2. Computer security education, often termed information security education or information assurance education, has emerged as a national goal in the United States and other countries, with national defense and homeland security implications. The NSA/DHS National Center of Academic Excellence in Information Assurance/Cyber Defense is spearheading a government role in the development of standards for computer security education.
Accordingly, the number of courses in universities, community colleges, and other institutions in computer security and related areas is growing.
Objectives
The objective of this book is to provide an up-to-date survey of developments in computer security. Central problems that confront security designers and security administrators include defining the threats to computer and network systems, evaluating the relative risks of these threats, and developing cost-effective and user friendly countermeasures.
The following basic themes unify the discussion:
• Principles: Although the scope of this book is broad, there are a number of basic principles that appear repeatedly as themes and that unify this field. Examples are issues relating to authentication and access control. The book highlights these principles and examines their application in specific areas of computer security.
• Design approaches: The book examines alternative approaches to meeting specific computer security requirements.
• Standards: Standards have come to assume an increasingly important, indeed dominant, role in this field. An understanding of the current status and future direction of technology requires a comprehensive discussion of the related standards.
• Real-world examples: A number of chapters include a section that shows the practical application of that chapter’s principles in a real-world environment.
The book is intended for both an academic and a professional audience. As a textbook, it is intended as a one- or two-semester undergraduate course for computer science, computer engineering, and electrical engineering majors. This edition is designed to support the recommendations of the ACM/IEEE Cybersecurity Curricula 2017 (CSEC2017). The CSEC2017 curriculum recommendation includes eight knowledge areas. Table P.1 shows the support for the these knowledge areas provided in this textbook. It also identifies six crosscutting concepts that are designed to help students explore connections among the knowledge areas, and are fundamental to their ability to understand the knowledge area regardless of the underlying computing discipline. These concepts, which are topics we introduce in Chapter 1, are as follows:
• Confidentiality: Rules that limit access to system data and information to authorized persons.
• Integrity: Assurance that the data and information are accurate and trustworthy.
• Availability: The data, information, and system are accessible.
• Risk: Potential for gain or loss.
• Adversarial thinking: A thinking process that considers the potential actions of the opposing force working against the desired result.
• Systems thinking: A thinking process that considers the interplay between social and technical constraints to enable assured operations.
Table P.1
Coverage of CSEC2017 Cybersecurity Curricula
Data Security • Basic cryptography concepts • Digital forensics
• End-to-end secure communications
• Data integrity and authentication
• Information storage security
• Fundamental design principles including least privilege, open design, and abstraction
• Security requirements and role in design
• Implementation issues
• Static and dynamic testing
• Configuring and patching
• Ethics, especially in development, testing and vulnerability disclosure
Legal and Ethical Aspects
•
This book provides coverage of all the subject areas specified for CISSP (Certified Information Systems Security Professional) certification. The CISSP designation from the International Information Systems Security Certification Consortium is often referred to as the “gold standard” when it comes to information security certification. It is the only universally recognized certification in the security industry. Many organizations, including the U.S. Department of Defense and many financial institutions, now require that cyber security personnel have the CISSP certification. In 2004, CISSP became the first IT program to earn accreditation under the international standard ISO/IEC 17024 (General Requirements for Bodies Operating Certification of Persons).
The CISSP examination is based on the Common Body of Knowledge (CBK), a compendium of information security best practices developed and maintained by , a nonprofit organization. The CBK is made up of 8 domains that comprise the body of knowledge that is required for CISSP certification.
The eight domains are as follows, with an indication of where the topics are covered in this textbook:
• Security and risk management: Confidentiality, integrity, and availability concepts; security governance principles; risk management; compliance; legal and regulatory issues; professional ethics; and security policies, standards, procedures, and guidelines. (Chapter 14)
• Asset security: Information and asset classification; ownership (e.g. data owners, system owners); privacy protection; appropriate retention; data security controls; and handling requirements (e.g., markings, labels, storage). (Chapters 5, 15, 16, 19)
• Security architecture and engineering: Engineering processes using secure design principles; security models; security evaluation models; security capabilities of information systems; security architectures, designs, and solution elements vulnerabilities; web-based systems vulnerabilities; mobile systems vulnerabilities; embedded devices and cyber-physical systems vulnerabilities; cryptography; and site and facility design secure principles; physical security. (Chapters 1, 2, 13, 15, 16)
• Communication and network security: Secure network architecture design (e.g., IP and non-IP protocols, segmentation); secure network components; secure communication channels; and network attacks. (Part Five)
• Identity and access management: Physical and logical assets control; identification and authentication of people and devices; identity as a service (e.g. cloud identity); third-party identity services (e.g., on-premise); access control attacks; and identity and access provisioning lifecycle (e.g., provisioning review). (Chapters 3, 4, 8, 9)
• Security assessment and testing: Assessment and test strategies; security process data (e.g., management and operational controls); security control testing; test outputs (e.g., automated, manual); and security architectures vulnerabilities. (Chapters 14, 15, 18)
• Security operations: Investigations support and requirements; logging and monitoring activities; provisioning of resources; foundational security operations concepts; resource protection techniques; incident management; preventative measures; patch and vulnerability management; change management processes; recovery strategies; disaster recovery processes and plans; business continuity planning and exercises; physical security; and personnel safety concerns. (Chapters 11, 12, 15, 16, 17)
• Software development security: Security in the software development lifecycle; development environment security controls; software security effectiveness; and acquired software security impact. (Part Two)
Support for NCAE-C Certification
The National Centers of Academic Excellence in Cybersecurity (NCAE-C) program is managed by the National Security Agency, with partners including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The NCAE-C program office collaborates closely with the National Institute of Standards and Technology (NIST), the National Science Foundation (NSF), the Department of Defense Office of the Chief Information Officer (DoD-CIO), and US Cyber Command (CYBERCOM). The goal of this program is to promote higher education and research in cyber defense and produce professionals with cyber defense expertise in order expand to the cybersecurity workforce and to reduce vulnerabilities in our national infrastructure. Academic institutions may choose from three designations: Cyber Defense, Cyber Research, and Cyber Operations. To achieve that purpose, NSA/DHS have defined a set of Knowledge Units that must be supported in the curriculum to gain NCAE-C designation. Each Knowledge Unit is composed of a minimum list of required topics to be covered and one or more outcomes or learning objectives. Designation is based on meeting a certain threshold number of core and optional Knowledge Units. In the area of Cyber Defense, the 2022 Foundational Knowledge Units are as follows:
• Cybersecurity foundations: Provides students with a basic understanding of the fundamental concepts behind cybersecurity including attacks, defenses, and incidence response.
• Cybersecurity principles: Provides students with basic security design fundamentals that help create systems that are worthy of being trusted.
• IT systems components: Provides students with a basic understanding of the hardware and software components in an information technology system and their roles in system operation.
This book provides extensive coverage in these foundational areas, as well as coverage of many of the other technical, nontechnical, and optional Knowledge Units.
Plan of the Text
The book is divided into five parts (see Chapter 0):
• Computer Security Technology and Principles
• Software and System Security
• Management Issues
• Cryptographic Algorithms
• Network Security
The text includes an extensive glossary, a list of frequently used acronyms, and a bibliography. Each chapter includes homework problems, review questions, a list of key words, and suggestions for further reading.