Muutke küpsiste eelistusi

E-raamat: Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity

5.00/5 (2 hinnangut Goodreads-ist)
(Arlington, Texas, USA)
  • Formaat: 355 pages
  • Ilmumisaeg: 02-May-2014
  • Kirjastus: Auerbach
  • Keel: eng
  • ISBN-13: 9781466592155
Teised raamatud teemal:
  • Formaat - PDF+DRM
  • Hind: 67,60 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
  • Raamatukogudele
Security without Obscurity: A Guide to Confidentiality, Authentication, and IntegritySuurem pilt
  • Formaat: 355 pages
  • Ilmumisaeg: 02-May-2014
  • Kirjastus: Auerbach
  • Keel: eng
  • ISBN-13: 9781466592155
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Stapleton sets out the basics of information security for information security professionals, application developers, information technologists, business analysts, manufacturers, and end users. He arranges his discussion around the three major areas of confidentiality, authenticity, and integrity, noting that these do not necessarily correspond with categories in some of the major security standards and protocols. Other topics include non-repudiation, privacy, and key management. Annotation ©2014 Ringgold, Inc., Portland, OR (protoview.com)

The traditional view of information security includes the three cornerstones: confidentiality, integrity, and availability; however the author asserts authentication is the third keystone. As the field continues to grow in complexity, novices and professionals need a reliable reference that clearly outlines the essentials. Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity fills this need.

Rather than focusing on compliance or policies and procedures, this book takes a top-down approach. It shares the author’s knowledge, insights, and observations about information security based on his experience developing dozens of ISO Technical Committee 68 and ANSI accredited X9 standards. Starting with the fundamentals, it provides an understanding of how to approach information security from the bedrock principles of confidentiality, integrity, and authentication.

The text delves beyond the typical cryptographic abstracts of encryption and digital signatures as the fundamental security controls to explain how to implement them into applications, policies, and procedures to meet business and compliance requirements. Providing you with a foundation in cryptography, it keeps things simple regarding symmetric versus asymmetric cryptography, and only refers to algorithms in general, without going too deeply into complex mathematics.

Presenting comprehensive and in-depth coverage of confidentiality, integrity, authentication, non-repudiation, privacy, and key management, this book supplies authoritative insight into the commonalities and differences of various users, providers, and regulators in the U.S. and abroad.

Arvustused

Jeff's extensive practical experience in applying information security and his expertise in cryptographic standards makes this book a must-read for the information security professional. Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity deserves a place in your reference library. Ralph Spencer Poore, CFE, CISA, CISSP, CHS-III, PCIP, ISSA Distinguished Fellow, ISSA Honor Roll

Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. ... Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding. ... One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms. This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement. ... For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, this is a valuable reference to get that job done. Book review by Ben Rothke, writing on slashdot.org View the full review at: http://books.slashdot.org/story/14/06/16/1245237/book-review-security-without -obscurity





the author is well qualified to assay the vital information technology field of computer network security The text is peppered with instructive figures and tables very clearly written John Maxymuk for ARBAonline

About the Author xi
Chapter 1 Introduction
1(56)
1.1 About This Book
1(6)
1.1.1 Audience for This Book
1(3)
1.1.2 Guide to This Book
4(3)
1.2 Standards
7(33)
1.2.1 Standards Organizations
7(3)
1.2.2 ISO TC68 Financial Services
10(9)
1.2.3 ASC X9 Financial Services
19(16)
1.2.4 Standards Depreciation
35(5)
1.3 Risk Assessment
40(17)
1.3.1 Threat Analysis
42(2)
1.3.2 Vulnerability Analysis
44(4)
1.3.3 Probability Analysis
48(3)
1.3.4 Impact Analysis
51(1)
1.3.5 Control Adjustments
52(1)
1.3.6 Example Assessment
53(4)
Chapter 2 Confidentiality
57(34)
2.1 Data Classification
59(6)
2.1.1 Data Groups
59(5)
2.1.2 Data Tagging
64(1)
2.2 Data States
65(9)
2.2.1 Data in Transit
66(1)
2.2.1.1 Encryption Methods
66(1)
2.2.1.2 Encryption Methods 2
67(1)
2.2.1.3 Encryption Methods 3
68(1)
2.2.2 Data in Process
69(2)
2.2.3 Data in Storage
71(3)
2.3 Data Encryption
74(17)
2.3.1 Session Encryption
77(3)
2.3.2 Field Encryption
80(2)
2.3.3 Data Tokenization
82(4)
2.3.4 Data Encryption Keys
86(5)
Chapter 3 Authentication
91(78)
3.1 Authentication Factors
94(6)
3.1.1 Single-Factor Authentication
94(4)
3.1.2 Multifactor Authentication
98(1)
3.1.3 Multisite Authentication
99(1)
3.2 Knowledge Factors
100(20)
3.2.1 Person Entity (PE) Authentication
102(9)
3.2.2 Nonperson Entity (NPE) Authentication
111(4)
3.2.3 Knowledge-Based Authentication (KBA)
115(1)
3.2.4 Zero Knowledge (ZK) Authentication
116(4)
3.3 Possession Factors
120(17)
3.3.1 Hardware Objects
121(8)
3.3.2 Data Objects
129(2)
3.3.3 Software Objects
131(5)
3.3.4 One-Time Passwords (OTP)
136(1)
3.4 Biometric Factors
137(10)
3.4.1 Biometric Technology
139(4)
3.4.2 Biometric Enrollment
143(2)
3.4.3 Biometric Verification
145(1)
3.4.4 Biometric Identification
146(1)
3.5 Cryptography Factors
147(10)
3.5.1 Symmetric Cryptography
148(2)
3.5.2 Asymmetric Cryptography
150(1)
3.5.3 Cryptographic Authentication
151(3)
3.5.4 Cryptographic Protocols
154(3)
3.6 Signature Synonyms
157(4)
3.6.1 Handwritten Signatures
158(1)
3.6.2 Dynamic Signatures
158(1)
3.6.3 Digital Signatures
159(1)
3.6.4 Electronic Signatures
160(1)
3.7 Provisioning
161(8)
Chapter 4 Integrity
169(30)
4.1 Integrity Check Value (ICV) Description
170(8)
4.1.1 ICV Composition
171(5)
4.1.2 Integrity Check Points
176(2)
4.2 Data Integrity States
178(4)
4.2.1 Data in Transit
178(1)
4.2.2 Data in Process
179(1)
4.2.3 Data in Storage
180(2)
4.3 Integrity Check Methods
182(17)
4.3.1 Longitudinal Redundancy Check (LRC)
183(1)
4.3.2 Cyclic Redundancy Check (CRC)
184(2)
4.3.3 Hash and Message Digest
186(2)
4.3.4 Message Authentication Code (MAC)
188(2)
4.3.5 Hashed Message Authentication Code (HMAC)
190(1)
4.3.6 Digital Signature
191(3)
4.3.7 Time-Stamp Token (TST)
194(5)
Chapter 5 Nonrepudiation
199(12)
5.1 Technical Considerations
200(3)
5.2 Cryptographic Considerations
203(1)
5.3 Operational Considerations
204(2)
5.4 Legal Considerations
206(5)
Chapter 6 Privacy
211(26)
6.1 Technical Considerations
212(4)
6.1.1 Privacy Data Elements
212(1)
6.1.2 Cross-Border Jurisdictions
213(3)
6.2 Cryptographic Considerations
216(1)
6.3 Operational Considerations
217(4)
6.3.1 Roles and Responsibilities
217(2)
6.3.2 Security Policy
219(2)
6.4 Legal Considerations
221(16)
6.4.1 European Union (EU) Privacy Directive
222(1)
6.4.2 Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
223(1)
6.4.3 United Kingdom Data Privacy Act (DPA)
224(2)
6.4.4 United States Privacy Laws and Guidelines
226(2)
6.4.5 Federal Trade Commission (FTC)---Privacy of Consumer Financial Information
228(2)
6.4.6 Health Insurance Portability and Accountability Act (HIPAA)
230(2)
6.4.7 Fair Credit Reporting Act (FCRA)
232(1)
6.4.8 Federal Privacy Act
233(4)
Chapter 7 Key Management
237(76)
7.1 Cryptographic Algorithms
238(19)
7.1.1 Encryption
240(4)
7.1.2 Message Authentication Code (MAC)
244(1)
7.1.3 Hashed Message Authentication Code (HMAC)
245(1)
7.1.4 Hash
245(2)
7.1.5 Digital Signature
247(3)
7.1.6 Key Transport
250(2)
7.1.7 Key Agreement
252(2)
7.1.8 Summary of Algorithms
254(3)
7.2 Cryptographic Modules
257(18)
7.2.1 Common Criteria
261(2)
7.2.2 NIST Cryptographic Modules
263(4)
7.2.3 ANSI Tamper Resistant Security Modules
267(1)
7.2.4 ISO Secure Cryptographic Modules
268(7)
7.3 Key-Management Life Cycle
275(11)
7.3.1 Cryptography Risks
275(2)
7.3.2 Life-Cycle Phases
277(4)
7.3.3 Life-Cycle Controls
281(5)
7.4 Cryptographic Architecture
286(12)
7.4.1 Security Policies, Practices, and Procedures
287(4)
7.4.2 Key Inventory
291(5)
7.4.3 Network, Data, and Key Diagrams
296(2)
7.5 Public Key Infrastructure
298(15)
7.5.1 Certificate Authority
304(5)
7.5.2 Registration Authority
309(1)
7.5.3 Subject
310(1)
7.5.4 Relying Party
311(2)
Bibliography 313(16)
Index 329
Jeff J. Stapleton has over 30 years experience developing and assessing payment systems and security techniques, including cryptography and biometrics. His career includes the major card brands (MasterCard, Visa, American Express, and Discover) for payment systems and security assessments; big-four accounting firm experience performing security assessments of applications, systems, and products; working with large and medium-sized financial institutions providing risk assessments and security compliance audits; and developing policies, practices, and procedures for security systems.

Jeff has participated in developing ISO and X9 security standards for over 25 years within the financial services industry. For the first five years, he participated on several X9 workgroups and has been an industry liaison and U.S. expert several times for various ISO workgroups. In addition, he has been chair of the X9F4 Cryptographic Protocols and Application Security Workgroup for 15 years. His experience includes participation on several X9 and ISO workgroups and development of over three dozen ISO and X9 standards. Some of the standards have multiple parts, which add to the overall count.

Jeff has published articles in various information security journals, IEEE papers, PKI Forum notes, and is a contributing author to several books on biometrics and cryptography. He is also a patent holder for cryptographic solutions.

Jeff has also authored various white papers for customers on debit card payments, key management, data loss prevention (DLP) solutions, and format-preserving encryption (FPE). He is a CISSP® and former Certified TG-3 Assessor (CTGA®) and PCI Qualified Security Assessor (QSA®). The CTGA and QSA are only viable for security consultants in active practice. He has also been a frequent public speaker at information security conferences, seminars, and webinars.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97814665921552e.html
Märksõnad: