Andress - Foundations of Information Security

A Straightforward Introduction

by Jason Andress

San Francisco

FOUNDATIONS OF INFORMATION SECURITY. Copyright 2019 by Jason Andress.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-10: 1-7185-0004-1
ISBN-13: 978-1-7185-0004-4

Publisher: William Pollock
Production Editor: Meg Sneeringer
Cover Illustration: Rick Reese
Developmental Editor: Frances Saux
Technical Reviewer: Cliff Janzen
Copyeditor: Kim Wimpsett
Compositor: Meg Sneeringer
Proofreader: James Fraleigh
Indexer: Beth Nauman-Montana

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900;
www.nostarch.com

The Library of Congress issued the following Cataloging-in-Publication Data for the first edition:

Names: Andress, Jason, author.

Title: Foundations of information security: a straightforward introduction / Jason Andress.

Description: 1st ed. | San Francisco : No Starch Press, 2019. | Includes
bibliographical references and index. | Summary: "Begins with an
introduction to information security, including key topics such as
confidentiality, integrity, and availability, and then moves on to
practical applications of these ideas in the areas of operational,
physical, network, application, and operating system security"-
Provided by publisher.

Identifiers: LCCN 2019024099 (print) | LCCN 2019024100 (ebook) | ISBN
9781718500044 (paperback) | ISBN 1718500041 (paperback) | ISBN
9781718500051 (ebook)

Subjects: LCSH: Computer security. | Computer networks--Security measures.
| Electronic information resources--Access control.

Classification: LCC QA76.9.A25 A5445 2019 (print) | LCC QA76.9.A25
(ebook) | DDC 005.8--dc23

LC record available at https://lccn.loc.gov/2019024099

LC ebook record available at https://lccn.loc.gov/2019024100

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

Le meglio linimico del bene.

Voltaire

Dr. Jason Andress is a seasoned security professional, security researcher, and technophile. He has been writing on security topics for over a decade, covering data security, network security, hardware security, penetration testing, and digital forensics, among others.

Since the early days of Commodore PET and VIC-20, technology has been a constant companion (and sometimes an obsession!) to Cliff. He discovered his career passion when he moved into information security in 2008 after a decade of IT operations. Since that time, Cliff is grateful to have had the opportunity to work with and learn from some of the best people in the industry including Jason and the fine people at No Starch. Cliff spends a majority of the work day managing and mentoring a great team, but strives to stay technically relevant by tackling everything from security policy reviews to penetration testing. He feels lucky to have a career that is also his favourite hobby and a wife that supports him.

1
WHAT IS INFORMATION SECURITY?

2
IDENTIFICATION AND AUTHENTICATION

3
AUTHORIZATION AND ACCESS CONTROLS

4
AUDITING AND ACCOUNTABILITY

5
CRYPTOGRAPHY

6
COMPLIANCE, LAWS, AND REGULATIONS

7
OPERATIONS SECURITY

8
HUMAN ELEMENT SECURITY

9
PHYSICAL SECURITY

10
NETWORK SECURITY

11
OPERATING SYSTEM SECURITY

12
MOBILE, EMBEDDED, AND INTERNET OF THINGS SECURITY

13
APPLICATION SECURITY

14
ASSESSING SECURITY

I want to thank my wife for bearing with me through another writing project, especially during my excessive complaining and foot dragging over (ahem) certain chapters <3.

I also want to thank the whole crew at No Starch Press for all their time and hard work in making this a better book. Without all the many rounds of editing, reviewing, and feedback, this book would have been a considerably less polished version of itself.

When I was in school, I was faced with a choice between pursuing a concentration in either information security or software engineering. The software engineering courses had terribly boring-sounding titles, so information security it was. Little did I know what a twisted and winding path Id embarked on.

Information security as a career can take you many different places. Over the years, Ive dealt with large-scale malware outbreaks, collected forensic information for court cases, hunted for foreign hackers in computer systems, hacked into systems and applications (with permission!), pored over an astonishing amount of log data, implemented and maintained all manner of security tooling, authored many thousands of lines of code to fit square pegs into round holes, worked on open source projects, spoken at security conferences, taught classes, and written somewhere into the upper regions of hundreds of thousands of words on the topic of security.

This book surveys the information security field as a whole. Its well-suited to anyone wondering what people mean when they use the term information securityor anyone interested in the field and wondering where to start. The chapters offer clear, nontechnical explanations of how information security works and how to apply these principles to your own career. It should help you learn about information security without making you consult a massive textbook. Ill first cover the fundamental ideas, such as authentication and authorization, needed to understand the fields key concepts, such as the principle of least privilege and various security models. Ill then dive into a survey of real-world applications of these ideas in the areas of operations, human, physical, network, operating system, mobile, embedded, Internet of Things (IoT), and application security. Ill finish up by looking at how to assess security.

This book will be a valuable resource to beginning security professionals, as well as to network and system administrators. You should use the information provided to develop a better understanding of how you protect your information assets and defend against attacks, as well as how to apply these concepts systematically to make your environment more secure.