of information security...part 1: key concepts and applications related to information security....

P1: GDZ/SPH P2: GDZ/SPH QC: GDZ/SPH T1: GDZ

JWBS001-FM-Vol.III WL041/Bidgolio-Vol I WL041-Sample-v1.cls November 11, 2005 5:9 Char Count= 0

HANDBOOKOF

INFORMATIONSECURITY

Threats, Vulnerabilities, Prevention,Detection, and Management

Volume 3

Hossein BidgoliEditor-in-Chief

California State UniversityBakersfield, California

i

File AttachmentC1.jpg



iv



HANDBOOKOF

INFORMATIONSECURITY

Threats, Vulnerabilities, Prevention,Detection, and Management

Volume 3

Hossein BidgoliEditor-in-Chief

California State UniversityBakersfield, California

i



This book is printed on acid-free paper. ∞©

Copyright C© 2006 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, electronic, mechanical, photocopying,recording, scanning, or otherwise, except as permitted under Section 107 or 108 ofthe 1976 United States Copyright Act, without either the prior written permission ofthe Publisher, or authorization through payment of the appropriate per-copy fee tothe Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978)750-8400, fax (978) 646-8600, or on the web at www.copyright.com. Requests to thePublisher for permission should be addressed to the Permissions Department, JohnWiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author haveused their best efforts in preparing this book, they make no representations or war-ranties with respect to the accuracy or completeness of the contents of this bookand specifically disclaim any implied warranties of merchantability or fitness for aparticular purpose. No warranty may be created or extended by sales representatives orwritten sales materials. The advice and strategies contained herein may not be suitablefor your situation. The publisher is not engaged in rendering professional services, andyou should consult a professional where appropriate. Neither the publisher nor authorshall be liable for any loss of profit or any other commercial damages, including butnot limited to special, incidental, consequential, or other damages.

For general information on our other products and services please contact ourCustomer Care Department within the U.S. at (800) 762-2974, outside the United Statesat (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some contentthat appears in print may not be available in electronic books. For more informationabout Wiley products, visit our web site at www.Wiley.com.

Library of Congress Cataloging-in-Publication Data:

The handbook of information security / edited by Hossein Bidgoli.p. cm.

Includes bibliographical references and index.ISBN-13: 978-0-471-64830-7, ISBN-10: 0-471-64830-2 (CLOTH VOL 1 : alk. paper)ISBN-13: 978-0-471-64831-4, ISBN-10: 0-471-64831-0 (CLOTH VOL 2 : alk. paper)ISBN-13: 978-0-471-64832-1, ISBN-10: 0-471-64832-9 (CLOTH VOL 3 : alk. paper)ISBN-13: 978-0-471-22201-9, ISBN-10: 0-471-22201-1 (CLOTH SET : alk. paper)1. Internet–Encyclopedias. I. Bidgoli, Hossein.

TK5105.875.I57I5466 2003004.67′8′03–dc21

2002155552

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

ii



To so many fine memories of my mother, Ashraf, my father,Mohammad, and my brother, Mohsen, for their uncompromising

belief in the power of education.

iii



iv



About the Editor-in-ChiefAbout the Editor-in-Chief

Hossein Bidgoli, Ph.D., is professor of ManagementInformation Systems at California State University. Dr.Bidgoli helped set up the first PC lab in the UnitedStates. He is the author of 43 textbooks, 27 manualsand over five dozen technical articles and papers on var-ious aspects of computer applications, information sys-tems and network security, e-commerce and decision sup-port systems published and presented throughout theworld. Dr. Bidgoli also serves as the editor-in-chief of The

Internet Encyclopedia and the Encyclopedia of InformationSystems.

The Encyclopedia of Information Systems was the recip-ient of one of the Library Journal’s Best Reference Sourcesfor 2002 and The Internet Encyclopedia was recipient ofone of the PSP Awards (Professional and Scholarly Pub-lishing), 2004. Dr. Bidgoli was selected as the CaliforniaState University, Bakersfield’s 2001–2002 Professor of theYear.

v



vi



Editorial BoardEditorial Board

Dorothy E. DenningNaval Postgraduate School

James E. GoldmanPurdue University

Sushil JajodiaGeorge Mason University

Ari JuelsRSA Laboratories

Raymond R. PankoUniversity of Hawaii, Manoa

Dennis M. PowersSouthern Oregon University

Pierangela SamaratiUniversità di Milano, Italy

E. Eugene SchultzUniversity of California-Berkeley Lab

Lee S. SproullNew York University

Rebecca N. WrightStevens Institute of Technology

Avishai WoolTel Aviv University, Israel

vii



viii



ContentsContents

Contributors xv

Preface xxiii

Guide to the Handbook of Information Security xxvi

Reviewers List 1051

Volume Index 1059

Volume I: Key Concepts,Infrastructure, Standards,and Protocols

Part 1: Key Concepts and ApplicationsRelated to Information SecurityInternet Basics 3Hossein Bidgoli

Digital Economy 15Nirvikar Singh

Online Retail Banking: Security Concerns,

Breaches, and Controls 37Kent Belasco and Siaw-Peng Wan

Digital Libraries: Security and Preservation

Considerations 49Cavan McCarthy

E-Mail and Instant Messaging 77Bhagyavati

Internet Relay Chat 87Paul L. Witt

Online Communities 97Lee Sproull

Groupware: Risks, Threats, and Vulnerabilities

in the Internet Age 110Pierre Balthazard and John Warren

Search Engines: Security, Privacy, and

Ethical Issues 126Raymond Wisman

Web Services 151Akhil Sahai, Sven Graupner, and Wooyoung Kim

Electronic Commerce 164Charles Steinfield

EDI Security 179Matthew K. McGowan

Electronic Payment Systems 189Indrajit Ray

Intranets: Principals, Privacy, and Security

Considerations 205William T. Schiano

Extranets: Applications, Development, Security,

and Privacy 215Stephen W. Thorpe

Business-to-Business Electronic Commerce 226Julian J. Ray

Click-and-Brick Electronic Commerce 242Charles Steinfield

Mobile Commerce 254Vijay Atluri

E-Education and Information Privacy and Security 268William K. Jackson

Security in E-Learning 279Edgar R. Weippl

E-Government 294Shannon Schelin and G. David Garson

E-Government Security Issues and Measures 306William C. Barker

International Security Issues of E-Government 318Karin Geiselhart

Part 2: Infrastructure for the Internet,Computer Networks, and SecureInformation TransferConducted Communications Media 337Thomas L. Pigg

Routers and Switches 350Hans-Peter Dommel

Radio Frequency and Wireless Communications

Security 363Okechukwu Ugweje

Wireless Channels 387P. M. Shankar

Security in Circuit, Message, and Packet Switching 400Robert H. Greenfield and Daryle P. Niedermayer

Digital Communication 415Robert W. Heath Jr., William Bard, and Atul A. Salvekar

Local Area Networks 428Wayne C. Summers

Wide Area and Metropolitan Area Networks 444Lynn A. DeNoia

Home Area Networking 460Sherali Zeadally, Priya Kubher, and Nadeem Ansari

ix



CONTENTSx

Public Network Technologies and Security 473Dale R. Thompson and Amy W. Apon

Client/Server Computing: Principles and Security

Considerations 489Daniel J. McFarland

Peer-to-Peer Security 501Allan Friedman and L. Jean Camp

Security Middleware 512Linda Volonino and Richard P. Volonino

Internet Architecture 522Graham Knight

TCP/IP Suite 543Prabhaker Mateti

Voice-over Internet Protocol (VoIP) 561Roy Morris

Security and Web Quality of Service 576Tarek F. Abdelzhaer and Chengdu Huang

Mobile Devices and Protocols 592Min Song

Bluetooth Technology 605Brent A. Miller

Wireless Local Area Networks 617M. S. Obaidat, G. I. Papadimitriou,and S. Obeidat

Security in Wireless Sensor Networks 637Mohamed Eltoweissy, Stephan Olariu,and Ashraf Wadaa

Cellular Networks 654Jingyuan Zhang and Ivan Stojmenovic

Mobile IP 664M. Farooque Mesiya

IP Multicast and Its Security 680Emilia Rosti

TCP over Wireless Links 693Mohsen Guizani and Anupama Raju

Air Interface Requirements for Mobile Data

Services 712Harald Haas

Wireless Internet: A Cellular Perspective 732Abbas Jamalipour

Security of Satellite Networks 754Michele Luglio and Antonio Saitto

Security of Broadband Access Networks 772Peter L. Heinzmann

Ad Hoc Network Security 787Pietro Michiardi and Refik Molva

Part 3: Standards and Protocolsfor Secure Information TransferStandards for Product Security Assessment 809István Zsolt Berta, Levente Buttyán, and István Vajda

Digital Certificates 823Albert Levi

Internet E-Mail Architecture 836Robert Gezelter

PKI (Public Key Infrastructure) 852Radia Perlman

S/MIME (Secure MIME) 859Steven J. Greenwald

PGP (Pretty Good Privacy) 868Stephen A. Weis

SMTP (Simple Mail Transfer Protocol) 878Vladimir V. Riabov

Internet Security Standards 901Raymond R. Panko

Kerberos 920William Stallings

IPsec: AH and ESP 932A. Meddeb, N. Boudriga, and M. S. Obaidat

IPsec: IKE (Internet Key Exchange) 944Charlie Kaufman

Secure Sockets Layer (SSL) 952Robert J. Boncella

PKCS (Public Key Cryptography Standards) 966Yongge Wang

Public Key Standards: Secure Shell 979Xukai Zou

Security and the Wireless Application Protocol 995Lillian N. Cassel and Cynthia Pandolfo

Wireless Network Standards and Protocol (802.11) 1007Prashant Krishnamurthy

P3P (Platform for Privacy Preferences Project) 1023Lorrie Faith Cranor

Volume II: Information Warfare;Social, Legal, and InternationalIssues; and Security Foundations

Part 1: Information WarfareCybercrime and the U.S. Criminal Justice System 3Susan W. Brenner

Cyberterrorism and Information Security 16Charles Jaeger

Online Stalking 40David J. Loundy



CONTENTS xi

Electronic Attacks 47Thomas M. Chen, Jimi Thompson, and Matthew C. Elder

Wireless Information Warfare 59Randall K. Nichols

Computer Network Operations (CNO) 89Andrew Blyth

Electronic Protection 101Neil C. Rowe

Information Assurance 110Peng Liu, Meng Yu, and Jiwu Jing

Part 2: Social and Legal IssuesThe Legal Implications of Information Security:

Regulatory Compliance and Liability 127Blaze D. Waleski

Hackers, Crackers, and Computer Criminals 154David Dittrich and Kenneth Einar Himma

Hacktivism 172Paul A. Taylor and Jan Ll. Harris

Corporate Spying: The Legal Aspects 183William A. Zucker and Scott Nathan

Law Enforcement and Computer Security Threats

and Measures 200Mathieu Deflem and J. Eagle Shutt

Combating the Cybercrime Threat: Developments

in Global Law Enforcement 210Roderic Broadhurst

Digital Identity 223Drummond Reed and Jerry Kindall

Digital Divide 238Jaime J. Davila

Legal, Social, and Ethical Issues of the Internet 247Kenneth Einar Himma

Anonymity and Identity on the Internet 265Jonathan Wallace

Spam and the Legal Counter Attacks 275Charles Jaeger

Cyberlaw: The Major Areas, Development,

and Information Security Aspects 297Dennis M. Powers

Global Aspects of Cyberlaw 319Julia Alpert Gladstone

Privacy Law and the Internet 336Ray Everett-Church

Internet Censorship 349Richard A. Spinello

Copyright Law 357Randy Canis

Patent Law 369Gerald Bluhm

Trademark Law and the Internet 381Ray Everett-Church

Online Contracts 392G. E. Evans

Electronic Speech 408Seth Finkelstein

Software Piracy 418Robert K. Moniot

Internet Gambling 428Susanna Frederick Fischer

The Digital Millennium Copyright Act 446Seth Finkelstein

Digital Courts, the Law and Evidence 459Robert Slade

Part 3: Foundations of Information,Computer and Network SecurityEncryption Basics 469Ari Juels

Symmetric Key Encryption 479Jonathan Katz

Data Encryption Standard (DES) 491Mike Speciner

The Advanced Encryption Standard 498Duncan A. Buell

Hashes and Message Digests 510Magnus Daum and Hans Dobbertin

Number Theory for Information Security 532Duncan A. Buell

Public Key Algorithms 548Bradley S. Rubin

Elliptic Curve Cryptography 558N. P. Smart

IBE (Identity-Based Encryption) 575Craig Gentry

Cryptographic Protocols 593Markus Jakobsson

Quantum Cryptography 606G. Massimo Palma

Key Lengths 617Arjen K. Lenstra

Key Management 636Xukai Zou and Amandeep Thukral

Secure Electronic Voting Protocols 647Helger Lipmaa

Digital Evidence 658Robin C. Stuart



CONTENTSxii

Digital Watermarking and Steganography 664M. A. Suhail, B. Sadoun, and M. S. Obaidat

Law Enforcement and Digital Evidence 679J. Philip Craiger, Jeff Swauger, and Mark Pollitt

Forensic Computing 702Mohamed Hamdi, Noureddine Boudriga,and M. S. Obaidat

Computer Forensics Procedures and Methods 715J. Philip Craiger

Computer Forensics—Computer Media Reviews

in Classified Government Agencies 750Michael R. Anderson

Forensic Analysis of UNIX Systems 763Dario V. Forte

Forensic Analysis of Windows Systems 781Steve J. Chapin and Chester J. Maciag

Operating System Security 796William Stallings

UNIX Security 806Mark Shacklette

Linux Security 822A. Justin Wilder

OpenVMS Security 853Robert Gezelter

Windows 2000 Security 870E. Eugene Schultz

Software Development and Quality Assurance 885Pascal Meunier

The Common Criteria 897J. McDermott

Volume III: Threats, Vulnerabilities,Prevention, Detection, andManagement

Part 1: Threats and Vulnerabilitiesto Information and ComputingInfrastructuresInternal Security Threats 3Marcus K. Rogers

Physical Security Threats 18Mark Michael

Fixed-Line Telephone System Vulnerabilities 30Mak Ming Tak, Xu Yan, and Zenith Y. W. Law

E-Mail Threats and Vulnerabilities 40David Harley

E-Commerce Vulnerabilities 57Sviatoslav Braynov

Hacking Techniques in Wired Networks 70Qijun Gu, Peng Liu, and Chao-Hsien Chu

Hacking Techniques in Wireless Networks 83Prabhaker Mateti

Computer Viruses and Worms 94Robert Slade

Trojan Horse Programs 107Adam L. Young

Hoax Viruses and Virus Alerts 119Robert Slade

Hostile Java Applets 126David Evans

Spyware 136Tom S. Chan

Mobile Code and Security 146Song Fu and Cheng-Zhong Xu

Wireless Threats and Attacks 165Robert J. Boncella

WEP Security 176Nikita Borisov

Bluetooth Security 184Susanne Wetzel

Cracking WEP 198Pascal Meunier

Denial of Service Attacks 207E. Eugene Schultz

Network Attacks 220Edward Amoroso

Fault Attacks 230Hamid Choukri and Michael Tunstall

Side-Channel Attacks 241Pankaj Rohatgi

Part 2: Prevention: Keeping theHackers and Crackers at BayPhysical Security Measures 263Mark Michael

RFID and Security 289Stephen A. Weis

Cryptographic Privacy Protection Techniques 300Markus Jakobsson

Cryptographic Hardware Security Modules 311Nicko van Someren

Smart Card Security 326Michael Tunstall, Sebastien Petit, and Stephanie Porte

Client-Side Security 342Charles Border

Server-Side Security 355Slim Rekhis, Noureddine Boudriga, and M. S. Obaidat

Protecting Web Sites 370Dawn Alexander and April Giles



CONTENTS xiii

Database Security 380Michael Gertz and Arnon Rosenthal

Medical Records Security 395Normand M. Martel

Access Control: Principles and Solutions 406S. De Capitani di Vimercati, S. Paraboschi,and Pierangela Samarati

Password Authentication 424Jeremy L. Rasmussen

Computer and Network Authentication 439Patrick McDaniel

Antivirus Technology 450Matthew Schmid

Biometric Basics and Biometric Authentication 459James L. Wayman

Issues and Concerns in Biometric IT Security 471Philip Statham

Firewall Basics 502James E. Goldman

Firewall Architectures 515James E. Goldman

Packet Filtering and Stateful Firewalls 526Avishai Wool

Proxy Firewalls 537John D. McLaren

E-Commerce Safeguards 552Mark S. Merkow

Digital Signatures and Electronic Signatures 562Raymond R. Panko

E-Mail Security 571Jon Callas

Security for ATM Networks 584Thomas D. Tarman

VPN Basics 596G. I. Papadimitriou, M. S. Obaidat, C. Papazoglou,and A. S. Pomportsis

VPN Architecture 612Stan Kurkovsky

IP-Based VPN 624David E. McDysan

Identity Management 636John Linn

The Use of Deception Techniques: Honeypots

and Decoys 646Fred Cohen

Active Response to Computer Intrusions 664David Dittrich and Kenneth Einar Himma

Part 3: Detection, Recovery,Management, and Policy ConsiderationsIntrusion Detection Systems Basics 685Peng Ning and Sushil Jajodia

Host-Based Intrusion Detection System 701Giovanni Vigna and Christopher Kruegel

Network-Based Intrusion Detection Systems 713Marco Cremonini

The Use of Agent Technology for Intrusion

Detection 730Dipankar Dasgupta

Contingency Planning Management 744Marco Cremonini and Pierangela Samarati

Computer Security Incident Response

Teams (CSIRTs) 760Raymond R. Panko

Implementing a Security Awareness Program 766K. Rudolph

Risk Management for IT Security 786Rick Kazman, Daniel N. Port, and David Klappholz

Security Insurance and Best Practices 811Selahattin Kuru, Onur Ihsan Arsun, and Mustafa Yildiz

Auditing Information Systems Security 829S. Rao Vallabhaneni

Evidence Collection and Analysis Tools 840Christopher L. T. Brown

Information Leakage: Detection and

Countermeasures 853Phil Venables

Digital Rights Management 865Renato Iannella

Web Hosting 879Doug Kaye

Managing a Network Environment 893Jian Ren

E-Mail and Internet Use Policies 908Nancy J. King

Forward Security Adaptive Cryptography:

Time Evolution 927Gene Itkis

Security Policy Guidelines 945Mohamed Hamdi, Noureddine Boudriga,and M. S. Obaidat

Asset–Security Goals Continuum: A Process

for Security 960Margarita Maria Lenk

Multilevel Security 972Richard E. Smith



CONTENTSxiv

Multilevel Security Models 987Mark Stamp and Ali Hushyar

Security Architectures 998Nicole Graf and Dominic Kneeshaw

Quality of Security Service: Adaptive Security 1016Timothy E. Levin, Cynthia E. Irvine, and EvdoxiaSpyropoulou

Security Policy Enforcement 1026Cynthia E. Irvine

Guidelines for a Comprehensive Security System 1041Hossein Bidgoli



ContributorsContributors

Tarek F. AbdelzhaerUniversity of VirginiaSecurity and Web Quality of Service

Dawn AlexanderUniversity of MarylandProtecting Web Sites

Edward AmorosoAT&T LaboratoriesNetwork Attacks

Michael R. AndersonSCERCComputer Forensics—Computer Media Reviews

in Classified Government AgenciesNadeem Ansari

Wayne State UniversityHome Area Networking

Amy W. AponUniversity of ArkansasPublic Network Technologies and Security

Onur Ihsan ArsunIsik University, TurkeySecurity Insurance and Best Practices

Vijay AtluriRutgers UniversityMobile Commerce

Pierre BalthazardArizona State UniversityGroupware: Risks, Threats, and Vulnerabilities

in the Internet AgeWilliam Bard

The University of Texas, AustinDigital Communication

William C. BarkerNational Institute of Standards and TechnologyE-Government Security Issues and Measures

Kent BelascoFirst Midwest BankOnline Retail Banking: Security Concerns, Breaches,

and ControlsIstván Zsolt Berta

Budapest University of Technology and Economics,Hungary

Standards for Product Security AssessmentBhagyavati

Columbus State UniversityE-Mail and Instant Messaging

Hossein BidgoliCalifornia State University, BakersfieldGuidelines for a Comprehensive Security SystemInternet Basics

Gerald BluhmTyco Fire & SecurityPatent Law

Andrew BlythUniversity of Glamorgan, Pontypridd, UKComputer Network Operations (CNO)

Robert J. BoncellaWashburn UniversitySecure Sockets Layer (SSL)Wireless Threats and Attacks

Charles BorderRochester Institute of TechnologyClient-Side Security

Nikita BorisovUniversity of California, BerkeleyWEP Security

Noureddine BoudrigaNational Digital Certification Agency and University

of Carthage, TunisiaForensic ComputingIPsec: AH and ESPSecurity Policy GuidelinesServer-Side Security

Sviatoslav BraynovUniversity of Illinois, SpringfieldE-Commerce Vulnerabilities

Susan W. BrennerUniversity of Dayton School of LawCybercrime and the U.S. Criminal Justice System

Roderic BroadhurstUniversity of Hong Kong, Hong KongCombating the Cybercrime Threat: Developments

in Global Law EnforcementChristopher L. T. Brown

Technology PathwaysEvidence Collection and Analysis Tools

Duncan A. BuellUniversity of South CarolinaNumber Theory for Information SecurityThe Advanced Encryption Standard

Levente ButtyánBudapest University of Technology and Economics,

HungaryStandards for Product Security Assessment

Jon CallasPGP CorporationE-Mail Security

L. Jean CampHarvard UniversityPeer-to-Peer Security

Randy CanisGreensfelder, Hemker & Gale, P.C.Copyright Law

Lillian N. CasselVillanova UniversitySecurity and the Wireless Application Protocol

xv



CONTRIBUTORSxvi

Tom S. ChanSouthern New Hampshire UniversitySpyware

Steve J. ChapinSyracuse UniversityForensic Analysis of Windows Systems

Thomas M. ChenSouthern Methodist UniversityElectronic Attacks

Hamid ChoukriGemplus & University of Bordeaux, FranceFault Attacks

Chao-Hsien ChuPennsylvania State UniversityHacking Techniques in Wired Networks

Fred CohenUniversity of New HavenThe Use of Deception Techniques: Honeypots

and DecoysJ. Philip Craiger

National Center for Forensic Science andUniversity of Central Florida

Computer Forensics Proceduresand Methods

Law Enforcement and Digital EvidenceLorrie Faith Cranor

Carnegie Mellon UniversityP3P (Platform for Privacy Preferences Project)

Marco CremoniniUniversity of Milan, ItalyContingency Planning ManagementNetwork-Based Intrusion Detection Systems

Dipankar DasguptaUniversity of MemphisThe Use of Agent Technology for Intrusion

DetectionMagnus Daum

Ruhr University Bochum, GermanyHashes and Message Digests

Jaime J. DavilaHampshire CollegeDigital Divide

S. De Capitani di VimercatiUniversità di Milano, ItalyAccess Control: Principles And Solutions

Mathieu DeflemUniversity of South CarolinaLaw Enforcement and Computer Security

Threats and MeasuresLynn A. DeNoia

Rensselaer Polytechnic InstituteWide Area and Metropolitan Area Networks

David DittrichUniversity of WashingtonActive Response to Computer IntrusionsHackers, Crackers, and Computer Criminals

Hans DobbertinRuhr University Bochum, GermanyHashes and Message Digests

Hans-Peter DommelSanta Clara UniversityRouters and Switches

Matthew C. ElderSymantec CorporationElectronic Attacks

Mohamed EltoweissyVirginia TechSecurity in Wireless Sensor Networks

David EvansUniversity of VirginiaHostile Java Applets

G. E. EvansQueen Mary University of London Intellectual

Property Research Institute, UKOnline Contracts

Ray Everett-ChurchPrivacyClue LLCPrivacy Law and the InternetTrademark Law and the Internet

Seth FinkelsteinSethF.comElectronic SpeechThe Digital Millennium Copyright Act

Susanna Frederick FischerColumbus School of Law, The Catholic Universityof AmericaInternet Gambling

Dario V. ForteUniversity of Milan, Crema, ItalyForensic Analysis of UNIX Systems

Allan FriedmanHarvard UniversityPeer-to-Peer Security

Song FuWayne State UniversityMobile Code and Security

G. David GarsonNorth Carolina State UniversityE-Government

Karin GeiselhartUniversity of Canberra and Australian National

University, Canberra, AustraliaInternational Security Issues of

E-GovernmentCraig Gentry

DoCoMo USA LabsIBE (Identity-Based Encryption)

Michael GertzUniversity of California, DavisDatabase Security

Robert GezelterSoftware ConsultantInternet E-Mail ArchitectureOpenVMS Security

April GilesIndependent ConsultantProtecting Web Sites

Julia Alpert GladstoneBryant UniversityGlobal Aspects of Cyberlaw

James E. GoldmanPurdue UniversityFirewall ArchitecturesFirewall Basics



CONTRIBUTORS xvii

Nicole GrafUniversity of Cooperative Education,GermanySecurity Architectures

Sven GraupnerHewlett-Packard LaboratoriesWeb Services

Robert H. GreenfieldComputer ConsultingSecurity in Circuit, Message, and Packet Switching

Steven J. GreenwaldIndependent Information Security ConsultantS/MIME (Secure MIME)

Qijun GuPennsylvania State UniversityHacking Techniques in Wired Networks

Mohsen GuizaniWestern Michigan UniversityTCP over Wireless Links

Harald HaasInternational University Bremen (IUB),

GermanyAir Interface Requirements for Mobile Data

ServicesMohamed Hamdi

National Digital Certification Agency, TunisiaForensic ComputingSecurity Policy Guidelines

David HarleyNHS Connecting for Health, UKE-Mail Threats and Vulnerabilities

Jan Ll. HarrisSalford University, UKHacktivism

Robert W. Heath Jr.The University of Texas, AustinDigital Communication

Peter L. HeinzmannUniversity of Applied Sciences, Eastern SwitzerlandSecurity of Broadband Access Networks

Kenneth Einar HimmaUniversity of WashingtonActive Response to Computer IntrusionsLegal, Social, and Ethical Issues of the InternetHackers, Crackers, and Computer Criminals

Chengdu HuangUniversity of VirginiaSecurity and Web Quality of Service

Ali HushyarSan Jose State UniversityMultilevel Security Models

Renato IannellaNational ICT, Australia (NICTA)Digital Rights Management

Cynthia E. IrvineNaval Postgraduate SchoolQuality of Security Service: Adaptive SecuritySecurity Policy Enforcement

Gene ItkisBoston UniversityForward Security Adaptive Cryptography: Time

Evolution

William K. JacksonSouthern Oregon UniversityE-Education and Information Privacy and Security

Charles JaegerSouthern Oregon UniversityCyberterrorism and Information SecuritySpam and the Legal Counter Attacks

Sushil JajodiaGeorge Mason UniversityIntrusion Detection Systems Basics

Markus JakobssonIndiana University, BloomingtonCryptographic Privacy Protection TechniquesCryptographic Protocols

Abbas JamalipourUniversity of Sydney, AustraliaWireless Internet: A Cellular Perspective

Jiwu JingChinese Academy of Sciences, Beijing, ChinaInformation Assurance

Ari JuelsRSA LaboratoriesEncryption Basics

Jonathan KatzUniversity of MarylandSymmetric Key Encryption

Charlie KaufmanMicrosoft CorporationIPsec: IKE (Internet Key Exchange)

Doug KayeIT ConversationsWeb Hosting

Rick KazmanUniversity of Hawaii, ManoaRisk Management for IT Security

Wooyoung KimUniversity of Illinois, Urbana-ChampaignWeb Services

Nancy J. KingOregon State UniversityE-Mail and Internet Use Policies

Jerry KindallEpok Inc.Digital Identity

Dominic KneeshawIndependent Consultant, GermanySecurity Architectures

David KlappholzStevens Institute of TechnologyRisk Management for IT Security

Graham KnightUniversity College, London, UKInternet Architecture

Prashant KrishnamurthyUniversity of PittsburghWireless Network Standards and Protocol (802.11)

Christopher KruegelTechnical University, Vienna, AustriaHost-Based Intrusion Detection

Priya KubherWayne State UniversityHome Area Networking



CONTRIBUTORSxviii

Stan KurkovskyCentral Connecticut State UniversityVPN Architecture

Selahattin KuruIsik University, TurkeySecurity Insurance and Best Practices

Zenith Y. W. LawJustSolve Consulting, Hong KongFixed-Line Telephone System Vulnerabilities

Margarita Maria LenkColorado State UniversityAsset–Security Goals Continuum: A Process for Security

Arjen K. LenstraLucent Technologies Bell Laboratories

and Technische Universiteit EindhovenKey Lengths

Albert LeviSabanci University, TurkeyDigital Certificates

Timothy E. LevinNaval Postgraduate SchoolQuality of Security Service: Adaptive Security

John LinnRSA LaboratoriesIdentity Management

Helger LipmaaCybernetica AS and University of Tartu,EstoniaSecure Electronic Voting Protocols

Peng LiuPennsylvania State UniversityHacking Techniques in Wired NetworksInformation Assurance

David J. LoundyDevon Bank University College of CommerceOnline Stalking

Michele LuglioUniversity of Rome Tor Vergata, ItalySecurity of Satellite Networks

Chester J. MaciagAir Force Research LaboratoryForensic Analysis of Windows Systems

Normand M. MartelMedical Technology Research Corp.Medical Records Security

Prabhaker MatetiWright State UniversityHacking Techniques in Wireless NetworksTCP/IP Suite

Cavan McCarthyLouisiana State UniversityDigital Libraries: Security and Preservation

ConsiderationsPatrick McDaniel

Pennsylvania State UniversityComputer and Network Authentication

J. McDermottNaval Research LaboratoryThe Common Criteria

David E. McDysanMCI CorporationIP-Based VPN

Daniel J. McFarlandRowan UniversityClient/Server Computing: Principles and Security

ConsiderationsMatthew K. McGowan

Bradley UniversityEDI Security

John D. McLarenMurray State UniversityProxy Firewalls

A. MeddebNational Digital Certification Agency and University

of Carthage, TunisiaIPsec: AH and ESP

Mark S. MerkowUniversity of PhoenixE-Commerce Safeguards

M. Farooque MesiyaRensselaer Polytechnic InstituteMobile IP

Pascal MeunierPurdue UniversityCracking WEPSoftware Development and Quality Assurance

Mark MichaelResearch in Motion Ltd., CanadaPhysical Security MeasuresPhysical Security Threats

Pietro MichiardiInstitut Eurecom, FranceAd Hoc Network Security

Brent A. MillerIBM CorporationBluetooth Technology

Refik MolvaInstitut Eurecom, FranceAd Hoc Network Security

Robert K. MoniotFordham UniversitySoftware Piracy

Roy MorrisCapitol CollegeVoice-over Internet Protocol (VoIP)

Scott NathanIndependent ConsultantCorporate Spying: The Legal Aspects

Randall K. NicholsThe George Washington UniversityWireless Information Warfare

Daryle P. NiedermayerCGI Group Inc.Security in Circuit, Message, and Packet

SwitchingPeng Ning

North Carolina State UniversityIntrusion Detection Systems Basics

M. S. ObaidatMonmouth UniversityDigital Watermarking and SteganographyForensic ComputingIPsec: AH and ESPSecurity Policy Guidelines



CONTRIBUTORS xix

Server-Side SecurityWireless Local Area NetworksVPN Basics

S. ObeidatArizona State UniversityWireless Local Area Networks

Stephan OlariuOld Dominion UniversitySecurity in Wireless Sensor Networks

G. Massimo PalmaUniversità degli Studi di Milano, ItalyQuantum Cryptography

Cynthia PandolfoVillanova UniversitySecurity and the Wireless Application Protocol

Raymond R. PankoUniversity of Hawaii, ManoaComputer Security Incident Response

Teams (CSIRTs)Digital Signatures and Electronic SignaturesInternet Security Standards

G. I. PapadimitriouAristotle University, GreeceVPN BasicsWireless Local Area Networks

C. PapazoglouAristotle University, GreeceVPN Basics

S. ParaboschiUniversità di Bergamo, ItalyAccess Control: Principles and Solutions

Radia PerlmanSun Microsystems LaboratoriesPKI (Public Key Infrastructure)

Sebastien PetitGemplus, FranceSmart Card Security

Thomas L. PiggJackson State Community CollegeConducted Communications Media

Mark PollittDigitalEvidenceProLaw Enforcement and Digital Evidence

A. S. PomportsisAristotle University, GreeceVPN Basics

Daniel N. PortUniversity of Hawaii, ManoaRisk Management for IT Security

Stephanie PorteGemplus, FranceSmart Card Security

Dennis M. PowersSouthern Oregon UniversityCyberlaw: The Major Areas, Development,

and Information Security AspectsAnupama Raju

Western Michigan UniversityTCP over Wireless Links

Jeremy L. RasmussenSypris Electronics, LLCPassword Authentication

Indrajit RayColorado State UnivesityElectronic Payment Systems

Julian J. RayUniversity of RedlandsBusiness-to-Business Electronic

CommerceDrummond Reed

OneName CorporationDigital Identity

Slim RekhisNational Digital Certification Agency and University

of Carthage, TunisiaServer-Side Security

Jian RenMichigan State University, East LansingManaging A Network Environment

Vladimir V. RiabovRivier CollegeSMTP (Simple Mail Transfer Protocol)

Marcus K. RogersPurdue UniversityInternal Security Threats

Pankaj RohatgiIBM T. J Watson Research CenterSide-Channel Attacks

Arnon RosenthalThe MITRE CorporationDatabase Security

Emilia RostiUniversità degli Studi di Milano, ItalyIP Multicast and Its Security

Neil C. RoweU.S. Naval Postgraduate SchoolElectronic Protection

Bradley S. RubinUniversity of St. ThomasPublic Key Algorithms

K. RudolphNative Intelligence, Inc.Implementing a Security Awareness

ProgramB. Sadoun

Al-Balqa’ Applied University, JordanDigital Watermarking and Steganography

Akhil SahaiHewlett-Packard LaboratoriesWeb Services

Antonio SaittoTelespazio, ItalySecurity of Satellite Networks

Atul A. SalvekarIntel CorporationDigital Communication

Pierangela SamaratiUniversità di Milano, ItalyAccess Control: Principles and SolutionsContingency Planning Management

Shannon SchelinThe University of North Carolina, Chapel

HillE-Government



CONTRIBUTORSxx

William T. SchianoBentley CollegeIntranets: Principals, Privacy, and Security

ConsiderationsMatthew Schmid

Cigital, Inc.Antivirus Technology

E. Eugene SchultzUniversity of California–Berkeley LabWindows 2000 SecurityDenial of Service Attacks

Mark ShackletteThe University of ChicagoUNIX Security

P. M. ShankarDrexel UniversityWireless Channels

J. Eagle ShuttUniversity of South CarolinaLaw Enforcement and Computer Security

Threats and MeasuresNirvikar Singh

University of California, Santa CruzDigital Economy

Robert SladeVancouver Institute for Research into User

Security, CanadaComputer Viruses and WormsDigital Courts, the Law and EvidenceHoax Viruses and Virus Alerts

Nigel SmartUniversity of Bristol, UKElliptic Curve Cryptography

Richard E. SmithUniversity of St. ThomasMultilevel Security

Min SongOld Dominion UniversityMobile Devices and Protocols

Mike SpecinerIndependent ConsultantData Encryption Standard (DES)

Richard A. SpinelloBoston CollegeInternet Censorship

Lee SproullNew York UniversityOnline Communities

Evdoxia SpyropoulouTechnical Vocational Educational School of Computer

Science of Halandri, GreeceQuality of Security Service: Adaptive Security

William StallingsIndependent ConsultantKerberosOperating System Security

Mark StampSan Jose State UniversityMultilevel Security Models

Philip StathamCESG, Cheltenham, Gloucestershire, UKIssues and Concerns in Biometric IT Security

Charles SteinfieldMichigan State UniversityClick-and-Brick Electronic CommerceElectronic Commerce

Ivan StojmenovicUniversity of Ottawa, CanandaCellular Networks

Robin C. StuartDigital Investigations ConsultantDigital Evidence

M. A. SuhailUniversity of Bradford, UKDigital Watermarking and Steganography

Wayne C. SummersColumbus State UniversityLocal Area Networks

Jeff SwaugerUniversity of Central FloridaLaw Enforcement and Digital Evidence

Mak Ming TakHong Kong University of Science and

Technology, Hong KongFixed-Line Telephone System Vulnerabilities

Thomas D. TarmanSandia National LaboratoriesSecurity for ATM Networks

Paul A. TaylorUniversity of Leeds, UKHacktivism

Dale R. ThompsonUniversity of ArkansasPublic Network Technologies and Security

Jimi ThompsonSouthern Methodist UniversityElectronic Attacks

Stephen W. ThorpeNeumann CollegeExtranets: Applications, Development, Security,

and PrivacyAmandeep Thukral

Purdue UniversityKey Management

Michael TunstallGemplus & Royal Holloway University,

FranceFault AttacksSmart Card Security

Okechukwu UgwejeThe University of AkronRadio Frequency and Wireless Communications

SecurityIstván Vajda

Budapest University of Technology andEconomics, Hungary

Standards for Product Security AssessmentS. Rao Vallabhaneni

SRV Professional PublicationsAuditing Information Systems Security

Nicko van SomerennCipher Plc., UKCryptographic Hardware Security

Modules



CONTRIBUTORS xxi

Phil VenablesInstitute of Electrical and Electronics EngineersInformation Leakage: Detection and

CountermeasuresGiovanni Vigna

Reliable Software GroupHost-Based Intrusion Detection Systems

Linda VoloninoCanisius CollegeSecurity Middleware

Richard P. VoloninoCanisius CollegeSecurity Middleware

Ashraf WadaaOld Dominion UniversitySecurity in Wireless Sensor Networks

Blaze D. WaleskiFulbright & Jaworski LLPThe Legal Implications of Information Security:

Regulatory Compliance and LiabilityJonathan Wallace

DeCoMo USA LabsAnonymity and Identity on the Internet

Siaw-Peng WanElmhurst CollegeOnline Retail Banking: Security Concerns, Breaches,

and ControlsYongge Wang

University of North Carolina, CharlottePKCS (Public-Key Cryptography Standards)

John WarrenUniversity of Texas, San AntonioGroupware: Risks, Threats, and Vulnerabilities

in the Internet AgeJames L. Wayman

San Jose State UniversityBiometric Basics and Biometric Authentication

Edgar R. WeipplVienna University of Technology, AustriaSecurity in E-Learning

Stephen A. WeisMIT Computer Science and Artificial Intelligence

LaboratoryPGP (Pretty Good Privacy)RFID and Security

Susanne WetzelStevens Institute of TechnologyBluetooth Security

A. Justin WilderTelos CorporationLinux Security

Raymond WismanIndiana University SoutheastSearch Engines: Security, Privacy, and Ethical

IssuesPaul L. Witt

Texas Christian UniversityInternet Relay Chat

Avishai WoolTel Aviv University, IsraelPacket Filtering and Stateful Firewalls

Cheng-Zhong XuWayne State UniversityMobile Code and Security

Xu YanHong Kong University of Science and Technology,

Hong KongFixed-Line Telephone System Vulnerabilities

Mustafa YildizIsik University, TurkeySecurity Insurance and Best Practices

Adam L. YoungCigital, Inc.Trojan Horse Programs

Meng YuMonmouth UniversityInformation Assurance

Sherali ZeadallyWayne State UniversityHome Area Networking

Jingyuan ZhangUniversity of AlabamaCellular Networks

Xukai ZouPurdue UniversityKey ManagementPublic Key Standards: Secure Shell

William A. ZuckerGadsby Hannah LLPCorporate Spying: The Legal Aspects



xxii



PrefacePreface

The Handbook of Information Security is the first com-prehensive examination of the core topics in the securityfield. The Handbook of Information Security, a 3-volumereference work with 207 chapters and 3300+ pages, is acomprehensive coverage of information, computer, andnetwork security.

The primary audience is the libraries of 2-year and4-year colleges and universities with computer science,MIS, CIS, IT, IS, data processing, and business depart-ments; public, private, and corporate libraries through-out the world; and reference material for educators andpractitioners in the information and computer securityfields.

The secondary audience is a variety of professionalsand a diverse group of academic and professional courseinstructors.

Among the industries expected to become increasinglydependent upon information and computer security andactive in understanding the many issues surrounding thisimportant and fast-growing field are: government, mil-itary, education, library, health, medical, law enforce-ment, accounting, legal, justice, manufacturing, finan-cial services, insurance, communications, transportation,aerospace, energy, biotechnology, retail, and utility.

Each volume incorporates state-of-the-art, core infor-mation, on computer security topics, practical applica-tions and coverage of the emerging issues in the informa-tion security field.

This definitive 3-volume handbook offers coverage ofboth established and cutting-edge theories and develop-ments in information, computer, and network security.

This handbook contains chapters by global academicand industry experts. This handbook offers the followingfeatures:

1) Each chapter follows a format including title and au-thor, outline, introduction, body, conclusion, glossary,cross-references, and references. This format allowsthe reader to pick and choose various sections of achapter. It also creates consistency throughout the en-tire series.

2) The handbook has been written by more than 240 ex-perts and reviewed by more than 1,000 academics andpractitioners from around the world. These expertshave created a definitive compendium of both estab-lished and cutting-edge theories and applications.

3) Each chapter has been rigorously peer-reviewed. Thisreview process assures accuracy and completeness.

4) Each chapter provides extensive online and off-linereferences for additional readings, which will enablethe reader to learn more on topics of special interest.

5) The handbook contains more than 1,000 illustrationsand tables that highlight complex topics for furtherunderstanding.

6) Each chapter provides extensive cross-references,leading the reader to other chapters related to a par-ticular topic.

7) The handbook contains more than 2,700 glossaryitems. Many new terms and buzzwords are includedto provide a better understanding of concepts and ap-plications.

8) The handbook contains a complete and comprehen-sive table of contents and index.

9) The series emphasizes both technical as well as man-agerial, social, legal, and international issues in thefield. This approach provides researchers, educators,students, and practitioners with a balanced perspec-tive and background information that will be help-ful when dealing with problems related to securityissues and measures and the design of a sound secu-rity system.

10) The series has been developed based on the currentcore course materials in several leading universitiesaround the world and current practices in leadingcomputer, security, and networking corporations.

We chose to concentrate on fields and supporting tech-nologies that have widespread applications in the aca-demic and business worlds. To develop this handbook,we carefully reviewed current academic research in thesecurity field from leading universities and research insti-tutions around the world.

Computer and network security, information securityand privacy, management information systems, networkdesign and management, computer information systems(CIS), decision support systems (DSS), and electroniccommence curriculums, recommended by the Associa-tion of Information Technology Professionals (AITP) andthe Association for Computing Machinery (ACM) werecarefully investigated. We also researched the currentpractices in the security field carried out by leading se-curity and IT corporations. Our research helped us definethe boundaries and contents of this project.

TOPIC CATEGORIESBased on our research, we identified nine major topic cat-egories for the handbook.

� Key Concepts and Applications Related to InformationSecurity

� Infrastructure for the Internet, Computer Networks, andSecure Information Transfer

� Standards and Protocols for Secure InformationTransfer

� Information Warfare� Social, Legal, and International Issues

xxiii



PREFACExxiv

� Foundations of Information, Computer, and NetworkSecurity

� Threats and Vulnerabilities to Information and Com-puting Infrastructures

� Prevention: Keeping the Hackers and Crackers at Bay� Detection, Recovery, Management, and Policy Consid-

erations

Although these topics are related, each addresses a spe-cific concern within information security. The chapters ineach category are also interrelated and complementary,enabling readers to compare, contrast, and draw conclu-sions that might not otherwise be possible.

Though the entries have been arranged logically, thelight they shed knows no bounds. The handbook providesunmatched coverage of fundamental topics and issues forsuccessful design and implementation of a sound securityprogram. Its chapters can serve as material for a widespectrum of courses such as:

Information and Network Security

Information Privacy

Social Engineering

Secure Financial Transactions

Information Warfare

Infrastructure for Secure Information Transfer

Standards and Protocols for Secure InformationTransfer

Network Design and Management

Client/Server Computing

E-commerce

Successful design and implementation of a sound securityprogram requires a thorough knowledge of several tech-nologies, theories, and supporting disciplines. Security re-searchers and practitioners have had to consult many re-sources to find answers. Some of these resources concen-trate on technologies and infrastructures, some on socialand legal issues, and some on managerial concerns. Thishandbook provides all of this information in a compre-hensive, three-volume set with a lively format.

Key Concepts and Applications Related toInformation SecurityChapters in this group examine a broad range of topics.Theories, concepts, technologies, and applications thatexpose either a user, manager, or an organization to secu-rity and privacy issues and/or create such security and pri-vacy concerns are discussed. Careful attention is given tothose concepts and technologies that have widespread ap-plications in business and academic environments. Theseareas include e-banking, e-communities, e-commerce,e-education, and e-government.

Infrastructure for the Internet, ComputerNetworks, and Secure Information TransferChapters in this group concentrate on the infrastructure,popular network types, key technologies, and principles

for secure information transfer. Different types of com-munications media are discussed followed by a review ofa variety of networks including LANs, MANs, WANs, mo-bile, and cellular networks. This group of chapters alsodiscusses important architectures for secure informationtransfers including TCP/IP, the Internet, peer-to-peer, andclient/server computing.

Standards and Protocols for SecureInformation TransferChapters in this group discuss major protocols and stan-dards in the security field. This topic includes importantprotocols for online transactions, e-mail protocols, Inter-net protocols, IPsec, and standards and protocols for wire-less networks emphasizing 802.11.

Information WarfareThis group of chapters examines the growing field ofinformation warfare. Important laws within the UnitedStates criminal justice system, as they relate to cybercrimeand cyberterrorism, are discussed. Other chapters in thisgroup discuss cybercrime, cyberfraud, cyber stalking,wireless information warfare, electronic attacks and pro-tection, and the fundamentals of information assurance.

Social, Legal, and International IssuesChapters in this group explore social, legal, and interna-tional issues relating to information privacy and computersecurity. Digital identity, identity theft, censorship, anddifferent types of computer criminals are also explored.The chapters in this group also explain patent, trademark,and copyright issues and offer guidelines for protectingintellectual properties.

Foundations of Information, Computer, andNetwork SecurityThese chapters cover four different but complementaryareas including encryption, forensic computing, operat-ing systems and the common criteria and the principlesfor improving the security assurance.

Threats and Vulnerabilities to Informationand Computing InfrastructuresThe chapters in this group investigate major threatsto, and vulnerabilities of, information and computinginfrastructures in wired and wireless environments. Thechapters specifically discuss intentional, unintentional,controllable, partially controllable, uncontrollable, phys-ical, software and hardware threats and vulnerabilities.

Prevention: Keeping the Hackers andCrackers at BayThe chapters in this group present several concepts,tools, techniques, and technologies that help to protectinformation, keep networks secure, and keep the hack-ers and computer criminals at bay. Some of the topicsdiscussed include physical security measures; measures



TOPIC CATEGORIES xxv

for protecting client-side, server-side, database, and med-ical records; different types of authentication techniques;and preventing security threats to e-commerce and e-mailtransactions.

Detection, Recovery, Management, andPolicy ConsiderationsChapters in this group discuss concepts, tools, and tech-niques for detection of security breaches, offer techniquesand guidelines for recovery, and explain principles formanaging a network environment. Some of the topicshighlighted in this group include intrusion detection,contingency planning, risk management, auditing, andguidelines for effective security management and policyimplementation.

AcknowledgmentsMany specialists have helped to make the handbook a re-source for experienced and not-so-experienced readers. Itis to these contributors that I am especially grateful. Thisremarkable collection of scholars and practitioners hasdistilled their knowledge into a fascinating and enlight-ening one-stop knowledge base in information, computer,and network security that “talks” to readers. This has beena massive effort, as well as a most rewarding experience.So many people have played a role, it is difficult to knowwhere to begin.

I would like to thank the members of the editorial boardfor participating in the project and for their expert adviceon selection of topics, recommendations of authors, andreview of the materials. Many thanks to the more than

1,000 reviewers who provided their advice on improvingthe coverage, accuracy, and comprehensiveness of thesematerials.

I thank my senior editor, Matt Holt, who initiated theidea of the handbook. Through a dozen drafts and manyreviews, the project got off the ground and then was man-aged flawlessly by Matt and his professional team. Manythanks to Matt and his team for keeping the project fo-cused and maintaining its lively coverage.

Tamara Hummel, editorial coordinator, assisted thecontributing authors and me during the initial phases ofdevelopment. I am grateful for all her support. When itcame time for the production phase, the superb Wileyproduction team took over. Particularly, I want to thankDeborah Schindlar, senior production editor. I am gratefulfor all her hard work. I thank Michelle Patterson, our mar-keting manager, for her impressive marketing campaignlaunched on behalf of the handbook.

Last, but not least, I want to thank my wonderfulwife, Nooshin, and my two children, Mohsen and Mor-vareed, for being so patient during this venture. They pro-vided a pleasant environment that expedited the comple-tion of this project. Mohsen and Morvareed assisted mein sending out thousands of e-mail messages to authorsand reviewers. Nooshin was a great help in designingand maintaining the authors’ and reviewers’ databases.Their efforts are greatly appreciated. Also, my two sis-ters, Azam and Akram, provided moral support through-out my life. To this family, any expression of thanks isinsufficient.

Hossein BidgoliCalifornia State University, Bakersfield



Guide to The Handbook of Information SecurityGuide to The Handbook of Information Security

The Handbook of Information Security is a comprehensivecoverage of the relatively new and very important field ofinformation, computer, and network security. This refer-ence work consists of three separate volumes and 207 dif-ferent chapters on various aspects of this field. Each chap-ter in the handbook provides a comprehensive overview ofthe selected topic, intended to inform a broad spectrum ofreaders, ranging from computer and security profession-als and academicians to students to the general businesscommunity.

This guide is provided to help the reader easily locateinformation throughout The Handbook of Information Se-curity. It explains how the information within it can belocated.

OrganizationThis is organized for maximum ease of use, with the chap-ters arranged logically in three volumes. While one canread individual volumes (or articles) one will get the mostout of the handbook by becoming conversant with allthree volumes.

Table of ContentsA complete table of contents of the entire handbook ap-pears in the front of each volume. This list of chapter titlesrepresents topics that have been carefully selected by theeditor-in-chief, Dr. Hossein Bidgoli, and his colleagues onthe editorial board.

IndexA subject index for each individual volume is located atthe end of each volume.

ChaptersThe author’s name and affiliation are displayed at the be-ginning of the chapter.

All chapters in the handbook are organized in the sameformat:

Title and authorOutlineIntroductionBodyConclusionGlossaryCross-ReferencesReferences

OutlineEach chapter begins with an outline that provides a briefoverview of the chapter, as well as highlighting importantsubtopics. For example, the chapter “Internet Basics”includes sections for Information Superhighway andthe World Wide Web, Domain Name Systems, Naviga-tional Tools, Search Engines, and Directories. In addition,second-level and third- level headings will be found withinthe chapter.

IntroductionEach chapter begins with an introduction that defines thetopic under discussion and summarized the chapter, inorder to give the reader a general idea of what is to come.

BodyThe body of the chapter fills out and expands upon itemscovered in the outline.

ConclusionThe conclusion provides a summary of the chapter, high-lighting issues and concepts that are important for thereader to remember.

GlossaryThe glossary contains terms that are important to an un-derstanding of the chapter and that may be unfamiliar tothe reader. Each term is defined in the context of the par-ticular chapter in which it is used. Thus the same termmay be defined in two or more chapters with the detailof the definition varying slightly from one chapter to an-other. The handbook includes approximately 2,700 glos-sary terms. For example, the chapter “Internet Basics” in-cludes the following glossary entries:

Extranet A secure network that uses the Internet and Webtechnology to connect two or more intranets of trustedbusiness partners, enabling business-to-business,business-to-consumer, consumer-to-consumer, andconsumer-to-business communications.

Intranet A network within the organization that usesWeb technologies (TCP/IP, HTTP, FTP, SMTP, HTML,XML, and its variations) for collecting, storing,and disseminating useful information throughout theorganization.

Cross-ReferencesAll chapters have cross-references to other chapters thatcontain further information on the same topic. They

xxvi



GUIDE TO THE HANDBOOK OF INFORMATION SECURITY xxvii

appear at the end of the chapter, preceding the references.The cross-references indicate related chapters that canbe consulted for further information on the same topic.The handbook contains more than 1,400 cross-referencesin all. For example, the chapter “Computer Viruses andWorms” has the following cross references:

Hackers, Crackers and Computer Criminals, HoaxViruses and Virus Alerts, Hostile Java Applets, Spyware,Trojan Horse Programs.

ReferencesThe references in this handbook are for the benefit of thereader, to provide references for further research on thegiven topic. Review articles and research papers that areimportant to an understanding of the topic are also listed.The references typically consist of a dozen to two dozenentries, and do not include all material consulted by theauthor in preparing the chapter.



xxviii

of information security...part 1: key concepts and applications related to information security....

Documents