There's a lot more consciousness of security today, but not a lot of understanding of what it means and how far it should go. No one loves security, but most people - managers, system administrators and users alike - are starting to feel that they'd better accept it, or at least try to understand it. For example, most US Government equipment acquisitions now require "Orange Book" (Trusted Computer System Evaluation Criteria) certification. A lot of people have a vague feeling that they ought to know about the Orange Book, but few make the effort to track it down and read it. "Computer Security Basics" contains a readable introduction to the Orange Book - why it exists, what it contains, and what the different security levels are all about. This handbook describes complicated concepts such as trusted systems, encryption, and mandatory access control in simple terms. It tells you what you need to know to understand the basics of computer security, and it will help you persuade your employees to practice safe computing.

Table of Contents:
Preface About This Book Summary of Contents Acknowledgments Comments and Questions Part I OVERVIEW Chapter 1 Introduction Attack of the Giant Worm (and Other Tales) What Is Computer Security? A Broader Definition of Security Secrecy and Confidentiality Accuracy, Integrity, and Authenticity Availability Threats to Security Vulnerabilities Threats Countermeasures Why Buy Security? Government Requirements Information Protection What's A User To Do? Chapter 2 Some Security History Information and its Controls Computer Security: Then and Now Early Computer Security Efforts Tiger Teams Research and Modeling Secure Systems Development Building Toward Standardization Standards for Secure Systems Standards for Cryptography Standards for Emanations Computer Security Mandates and Legislation NSDD 145 NTISSP 2 Computer Fraud and Abuse Act Computer Security Act Searching for a Balance Recent Government Security Initiatives Privacy Considerations International Security Activity The Growth of Modern Standards Part II COMPUTER SECURITY Chapter 3 Computer System Security and Access Controls What Makes a System Secure? System Access: Logging Into Your System Identification and Authentication Protecting Passwords Data Access: Protecting Your Data Discretionary Access Control Mandatory Access Control Chapter 4 Viruses and Other Wildlife Viruses Worms Trojan Horses Bombs Trap Doors Spoofs Other Wildlife Remedies Chapter 5 Secure System Planning and Administration Administrative Security Overall Planning and Administration Analyzing Costs and Risks Planning for Disaster Setting Security Rules for Employees Training Users Day-to-day Administration Performing Backups Performing a Security Audit Separation of Duties Chapter 6 Inside the Orange Book Introduction to the Orange Book A Summary of Security Concepts What's a Trusted System? Measuring Trust Trusted Computing Base Security Policy Security Model Security Kernel Security Perimeter Orange Book Evaluation Classes Comparison of Evaluation Classes Complaints About the Orange Book Evaluations of Secure Systems Security Policy Requirements Discretionary Access Control Object Reuse Labels Mandatory Access Control Accountability Requirements Identification and Authentication Trusted Path Audit Assurance Requirements Operational Assurance Life-cycle Assurance Documentation Requirements Security Features User's Guide Trusted Facility Manual Test Documentation Design Documentation Summary of Classes D Systems: Minimal Security C1 Systems: Discretionary Security Protection C2 Systems: Controlled Access Protection B1 Systems: Labeled Security Protection B2 Systems: Structured Protection B3 Systems: Security Domains A1 Systems: Verified Design Compartmented Mode Workstations Government Computer Security Programs Part III COMMUNICATIONS SECURITY Chapter 7 Encryption Some History What is Encryption? Why Encryption? Transposition and Substitution Ciphers Cryptographic Keys: Private and Public Key Management and Distribution One-time Pad The Data Encryption Standard What is the DES? Future of the DES Other Cryptographic Algorithms Variations on the DES Public Key Algorithms The RSA Algorithm Digital Signatures and Notaries Government Algorithms Message Authentication Encryption in Banking and Financial Applications Government Cryptographic Programs NSA NIST Treasury Cryptographic Export Restrictions Chapter 8 Communications and Network Security What Makes Communication Secure? Communications Vulnerabilities Communications Threats Modems Networks Network Terms Some Network History Network Media OSI Model Network Security Trusted Networks Perimeters and Gateways Security in Heterogeneous Environments Encrypted Communications The Red Book and Government Network Evaluations TCSEC Requirements Other Security Services Some Network Security Projects DISNet and Blacker SDNS Kerberos Project MAX Secure NFS Part IV OTHER TYPES OF SECURITY Chapter 9 Physical Security and Biometrics Physical Security Natural Disasters Risk Analysis and Disaster Planning Locks and Keys: Old and New Types of Locks Tokens Challenge-response Systems Cards: Smart and Dumb Biometrics Fingerprints Handprints Retina Patterns Voice Patterns Signature and Writing Patterns Keystrokes Chapter 10 TEMPEST The Problem of Emanations The TEMPEST Program How To Build TEMPEST Products TEMPEST Standards and Restrictions TEMPEST Standards TEMPEST Export Restrictions Who Cares About TEMPEST? Is TEMPEST Needed? Changing TEMPEST Concepts Government TEMPEST Programs Part V APPENDICES Appendix A Acronyms Appendix B Computer Security Legislation Appendix C Orange Book and Other Summaries Orange Book (TCSEC) Requirements Compartmented Mode Workstation (CMW) Requirements System High Workstation (SHW) Requirements International Security (ITSEC) Requirements Appendix D Government Security Programs Computer Security Programs The Role of the NCSC The Role of NIST Trusted Product Evaluation Program (TPEP) Evaluation of Network Products Evaluations of Database Management Systems Evaluations of Security Subsystem Products Formal Verification Systems Evaluation Program (FVSEP) Degausser Products List Rating Maintenance Phase (RAMP) Program System Certification and Accreditation DOCKMASTER Technical Vulnerability Reporting Program Communications Security Programs Commercial COMSEC Endorsement Program CCEP Eligibility CCEP Program Steps Government Endorsed DES Equipment Program EFT Certification Program Protected Network Services List Off-line Systems List (OLSL) Restrictions on Cryptographic Products TEMPEST Security Programs Industrial TEMPEST Program and Preferred Products List Endorsed TEMPEST Products Program Endorsed TEMPEST Test Services Program Endorsed TEMPEST Test Instrumentation Program Appendix E A Security Source Book Government Publications The Rainbow Series Other NSA Publications FIPS PUBs NIST Special Publications Other NIST Publications Compartmented Mode Workstation (CMW) Publications COMSEC Program Publications TEMPEST Program Publications Other Security-relevant Government Publications Government Program Contact Points Computer Security (COMPUSEC) Programs Communications Security (COMSEC) Programs TEMPEST Programs Other Government Contacts Emergency Organizations Standards Organizations Security User Groups Electronic Groups USENET Commercial Bulletin Boards NCSC DOCKMASTER NIST Computer Security Bulletin Board Computer Security Periodicals Computer Security Books Conference Proceedings Computer Security Textbooks Viruses and Other Programmed Threats Computer Crime and Ethics Of General Interest Glossary Index Figures 3-1 Self/Group/Public Controls 3-2 Discretionary Access Control With an Access Control List 3-3 Mandatory Access Control 6-1 Comparison of Evaluation Classes 6-2 Example of Labeling on Banner Page 6-3 Sample Trusted Path Menu 6-4 Sample Audit Output 7-1 The Enigma Machine* 7-2 Simple Encryption and Decryption 7-3 A Simple Transposition Cipher 7-4 Simple Substitution Ciphers 7-5 Another Transposition Cipher 7-6 The Caesar Substitution Cipher 7-7 A Simple Example of Private Key Encryption/Decryption 7-8 A Simple Example of Public Key Encryption/Decryption 7-9 A One-time Pad 7-10 How the DES Works 8-1 Open Systems Interconnection (OSI) Model 8-2 End-to-end Encryption 8-3 Link Encryption Tables 2-1 Security-relevant Standards Organizations 3-1 Sample Login/Password Controls 6-1 Evaluation Classes and Sample Systems 6-2 Discretionary Access Control (DAC) Requirements 6-3 Identification and Authentication (I&A) Requirements 6-4 Audit Requirements 6-5 System Architecture Requirements 6-6 Covert Channel Requirements 6-7 Trusted Facility Management Requirements 6-8 Security Testing Requirements 6-9 Design Specification and Verification Requirements 6-10 Configuration Management Requirements 6-11 Trusted Facility Manual (TFM) Requirements 6-12 Test Documentation Requirements 6-13 Design Documentation Requirements 8-1 OSI Model Layers and Functions 8-2 Communications Integrity Requirements 8-3 Denial of Service Requirements 8-4 Compromise Protection Requirements B-1 Information Protection Legislation B-2 Computer Crime Legislation B-3 Privacy Legislation C-5 Compartmented Mode Workstation Requirements C-6 System High Workstation (SHW) Requirements C-7 Information Technology Security Evaluation Criteria (ITSEC) C-8 ITSEC Classes of Functionality C-9 ITSEC Assurance Levels E-1 Rainbow Series E-2 FIPS PUBs E-3 SPEC PUBs