System Security Roadmap

Welcome

System Security Implementation

• Diomidis Spinellis <dds@aueb.gr (mailto:dds@aueb.gr)>
  Department of Management Science and Technology
  Athens University of Economics and Business (http://www.aueb.gr)
• How to implement security at your site
• Practice, tools, methods

Schedule

Παρασκευή 5 Νοεμβρίου 2004

• Έναρξη 15:00
• Διάλειμμα για φαγητό και καφέ: 16:30-17:00
• Μάθημα: 17:00-18:30
• Διάλειμμα για καφέ: 18:30-18:45
• Μάθημα: 18:45-19:30

Σάββατο 6 Νοεμβρίου 2004

• Έναρξη 09:00
• Διάλειμμα για καφέ: 10:30-10:45
• Μάθημα: 10:45-12:15
• Διάλειμμα για φαγητό και καφέ: 12:15-12:45
• Μάθημα: 12:45-13:30

Overview

• System Security Roadmap
• Welcome
• Overview
• Notes
• Security Infrastrucutre
• Security Infrastructure Investment
• Management Errors
• Security Mission Statement
• Security Awareness Training
• Security Support Personnel Duties
• Auditing
• Tools
• Targeted System Binaries And Directories
• Internet Attack Methods
• Incident Response
• Management-related Security Problems
• Software Installation Practices
• Authentication Practices
• Backup Practices
• Port Filtering Practices
• Auditing Practices
• Common Vulnerabilities
• Common Unix Vulnerabilities
• Common Windows Vulnerabilities
• Home-user Tips
• System Administrator Best Practices
• Low-cost Security Improvements
• Security Web Sites
• Security Books
• Cryptology
• Cryptology
• Algorithm Uses and Properties
• Algorithm Types
• Maintaining Confidentiality
• Transposition Ciphers
• Transposition Cryptanalysis
• Substitution Ciphers
• Polyalphabetic Ciphers
• Rotor Machines
• The Playfair Cipher
• SP Networks
• The Data Encryption Standard (DES)
• The Advanced Encryption Standard (AES)
• Operation Modes
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Output Feedback Mode (OFB)
• Hash Function Applications
• Asymmetric Ciphers
• The Diffie-Hellman Protocol
• Bibliography
• Access Control, Firewalls and VPNs
• Hardware-based Access Control
• Operating System Access Control
• Firewall Purpose
• Security Strategies
• Security by Obscurity
• Firewall Limitations
• Firewall Technologies
• Packet filtering
• Service Packet Filtering
• IP Packet Filtering
• Proxying
• Network Address Translation
• Firewall Architectures
• Incidents
• Maintenance
• VPN Architectures
• Tunneling
• Defence in Depth Example
• Bibliography
• Web Security, and Mobile Code
• Web Security Requirements
• User Privacy
• Malicious Applets
• The Java Sandbox Model
• ActiveX and Code Signing
• Javascript
• Cookies
• Protecting the Internet Explorer
• Protecting the Netscape Navigator
• User Authentication
• Application-layer Attacks
• Server Security and scripting
• State Variable Manipulation
• Cross-site Scripting
• Bibliography
• Software Security
• Principles for Software Security
• Buffer Overflows
• Unix Access Control
• Windows Access Control
• Race Conditions
• Randomness and Determinism
• Applying Cryptography
• Trust Management
• Password Authentication
• Database Security
• Application Security
• Bibliography

Notes

• Equivalent to the presentation "slides"
• Accessible over the Web http://www.spinellis.gr/secimp ( http://www.spinellis.gr/secimp)
• Continously updated
• Links for printable version at the end of the table of contents

Security Infrastructure

• Management commitment
• Resources to back security policies and procedures
• Staff dedicated to security tasks
• Security mission statement
• Security awareness training program
• Security policies and procedures
  • Clearly defined
  • Implemented
  • Documented
  • Supplied to everyone within your organization
• Strong flow of information to and from the appropriate groups
• Security incident response team
• External and internal security perimeter controls
• Host and network based security auditing tools

Security Infrastructure Investment

• Risk analysis
• Demonstrate threat (e.g. network sniffing) probes.
• Run scanning tools against your network (be careful)
• Impact on company image
• Impact of DOS attack
• Information on other attacks

Management Errors

As determined by the 1,850 computer security experts and managers meeting at the SANS99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999
From http://www.sans.org/newlook/resources/errors.htm (http://www.sans.org/newlook/resources/errors.htm)

• Pretend the problem will go away if they ignore it.
• Authorize reactive, short-term fixes so problems re-emerge rapidly
• Fail to realize how much money their information and organizational reputations are worth.
• Rely primarily on a firewall.
• Fail to deal with the operational aspects of security:
  make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed
• Fail to understand the relationship of information security to the business problem.
• Understand physical security but do not see the consequences of poor information security.
• Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

Security Mission Statement

• Security expectations of users and customers
• Customer loss by security breaches
• Customer loss by impaired functionality (due to security)
• Past down-time and monetary loss due to security incidents
• Insider threats
• User trust
• Local and remote access
• On-line sensitive or personal information
• Loss due to compromise or theft
• Different levels of security for different parts of your organization
  • ERP systems
  • Development
  • Customer support
• Cost of negative publicity
• Existing security guidelines, regulations, or laws
• Conflict of business requirements and security
• Importance of confidentiality, integrity, availability
• Business needs
• Financial constraints

Security Awareness Training

• Use different media and formats
  • Class
  • Web
  • Documentation
  • Video
  • Hands-on
• Part of new employee orientation
• Mock incidents (e.g. mail attachment)
• Circulate advisories and alerts
• Review procedures and content

Example of a CERT Advisory

Subject: CERT Summary CS-2002-02
Date: Tue, 28 May 2002 14:50:15 -0400 (EDT)
From: CERT Advisory <cert-advisory@cert.org>
Organization: CERT(R) Coordination Center - +1 412-268-7090
To: cert-advisory@cert.org

CERT Summary CS-2002-02

   May 28, 2002

   Each  quarter, the CERT Coordination Center (CERT/CC) issues the CERT
   summary  to  draw  attention  to  the types of attacks reported to our
   incident  response  team,  as  well  as  other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.

   Past CERT summaries are available at http://www.cert.org/summaries/.
   ______________________________________________________________________

Recent Activity

   Since  the  last  regularly scheduled CERT summary, issued in February
   2002  (CS-2002-01),  we  have  released  several advisories addressing
   vulnerabilties   in   Microsoft's  IIS  server,  Oracle  Database  and
   Application  Servers, Sun Solaris cachefsd, and MSN Instant Messenger.
   In  addition,  we  have  published statistics for the first quarter of
   2002,  numerous  white  papers,  and  a collection of frequently asked
   questions about the OCTAVE Method.

   For  more  current  information  on  activity  being  reported  to the
   CERT/CC,  please  visit the CERT/CC Current Activity page. The Current
   Activity  page  is  a  regularly updated summary of the most frequent,
   high-impact  types  of  security  incidents  and vulnerabilities being
   reported  to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.

    1. Exploitation of Vulnerabilities in Microsoft SQL Server

       The  CERT/CC  has  received  reports  of systems being compromised
       through  the  automated  exploitation  of  null or weak default sa
       passwords  in Microsoft SQL Server and Microsoft Data Engine. This
       activity  is  accompanied by high volumes of scanning, and appears
       to  be  related  to recently discovered self-propagating malicious
       code,  referred  to  by  various  sources  as Spida, SQLsnake, and
       Digispid.

       CERT Incident Note IN-2002-04:
       Exploitation of Vulnerabilities in Microsoft SQL Server
       http://www.cert.org/incident_notes/IN-2002-04.html

[...]

Security Support Personnel Duties

• Define, produce, and maintain official security policy and documentation
• Act as the organisation's personal data protection officer
• Recommend and develop internal security standards
• Monitor, audit, and test systems and networks for possible security problems
• Monitor (and respond to) security alerts, newsgroups, mailing lists, and postings.
• Review security log files on a daily basis and investigate anomalies as needed
• Evaluate, procure, test, install, and maintain security infrastructure tools
• Test and install patches and fixes for security vulnerabilities in vendor software
• Stay current on security technology and possible threats to your organization
• Respond to security incidents
  • Investigation
  • Coordination
  • Reporting
  • Follow-up
  • Liaise with law-enforcement officers
  • Expert witness in legal proceedings
• Participate in reviews and analysis of internal projects
• Advocate corporate information security policy and procedures to internal and external clients, customers, users, and staff

Security log example

Subject: istlab.dmst.aueb.gr security check output
Date: Sat, 15 Jun 2002 03:01:02 +0300 (EEST)
From: Charlie Root <root@istlab.dmst.aueb.gr>
To: undisclosed-recipients:;

Checking setuid files and devices:


Checking for uids 

Checking setuid files and devices:


Checking for uids of 0:
root 0
toor 0


Checking for passwordless accounts:


istlab.dmst.aueb.gr kernel log messages:
> Jun 14 17:21:29 istlab su: dds to root on /dev/ttyp0
> Jun 14 23:30:02 istlab sendmail[65649]: g5EKU1a65648: Truncated MIME Content-Disposition header due to field size (length = 23) (possible attack)


istlab.dmst.aueb.gr login failures:


istlab.dmst.aueb.gr refused connections:

Coordination with ISP

Subject: Re: Prospatheia hacking
Date: Mon, 15 Jan 2001 12:49:33 +0200
From: OTEnet Network Abuse Team <abuse@otenet.gr>
To: Diomidis Spinellis <dds@host.gr>

On Mon, Jan 15, 2001 at 11:30:06AM +0200, Diomidis Spinellis wrote:
> Ο παρακάτω χρήστης σας προσπάθησε το Σάββατο να παραβιάσει το μηχάνημα
> XXX.XXX.XXX.XXX:
> 
> Jan 13 01:28:17 inet popper[20009]: ddl@athe530-q166.otenet.gr: -ERR
> Unknown command: "close".
> Jan 13 01:28:19 inet popper[20009]: Possible probe of account ddl from
> host
> athe530-q166.otenet.gr
> Jan 13 01:28:31 inet popper[20010]: dds@athe530-q166.otenet.gr: -ERR
> Unknown command: "l".
> Jan 13 01:28:33 inet popper[20010]: dds@athe530-q166.otenet.gr: -ERR
> Unknown command: "r".
> 
> Παρακαλώ να με ενημερώσετε για τις ενέργειές σας.
> 
> Φιλικά,
> 
> Δ. Σπινέλλης

-- 
Agaphte Kyrie

Meta apo e3etash twn log files pou mas exete steilei, exoume entopisei ton
syndromhth mas ekeino, o opoios empleketai sthn en logw apopeira kai exoume 
pra3ei ta deonta prokeimenou na mhn epanalhfthoun sto mellon tetoies energeies 
apo merous tou.

OTEnet Network Abuse Team

Complaint

Subject: [Spam mail]
Date: Tue, 22 Jan 2002 12:56:20 +0200
From: XXX@yyy.gr
To: abuse@isp.gr
CC: abuse@host.gr

Aytos fainetai (me traceroute) oti pairnei grammh apo esas. Epeidh oi idioi
einai spammers sas stelnw esas to complaint.

To spam einai attached.
Eyxaristw.

-- 

[Copy of the spam mail]

Auditing

Tools

• Host-based Auditing Tools:
  COPS, NCARP, crack, Tiger, Tripwire, logcheck, tklogger, Safesuite, NetSonar
• Network Traffic Analysis & Intrusion Detection Tools:
  tcpdump, synsniff, NetRanger, NOCOL, NFR, RealSecure, Shadow
• Security Management and Improvement Tools:
  crack, localmail, smrsh, logdaemon, npasswd, op, passwd+, S4-kit, sfingerd, sudo, swatch, watcher, wuftpd, LPRng
• Firewall, Proxy amd Filtering Tools:
  fwtk, ipfilter, ipfirewall, portmap v3, SOCKS, tcp_wrappers, smapd
• Network-Based Auditing Tools:
  nmap, nessus, SATAN, Safesuite
• Encryption Tools:
  md5, md5check, PGP, rpem, UFC-crypt
• One-Time Password Tools:
  OPIE, S/Key
• Secure Remote Access and Authorization Tools:
  RADIUS, TACACS+, SSL, SSH, Kerberos

Targeted System Binaries And Directories

• System binaries:
  • /bin/login
  • /usr/etc/in.telnetd
  • /usr/etc/in.ftpd
  • /usr/etc/in.tftpd
  • /usr/ucb/netstat
  • /bin/ps
  • /bin/ls
  • /usr/sbin/ifconfig
  • /bin/df
  • /usr/lib/libc.a
  • /usr/lib/*.so
  • /usr/ucb/cc
• Files:
  • /.rhosts
  • /etc/hosts.equiv
  • /bin/.rhosts
  • /etc/passwd
  • /etc/group
  • /var/yp/* (nis maps)
  • root environment files (.login, .cshrc, .profile, .forward)
• Hidden files:
  • Starting with .
  • /tmp
  • /var/tmp
  • /etc/tmp
  • /usr/spool
  • /usr/lib/cron
• Modified files:
  • /var/log/messages
  • /var/log/wtmp
  • /var/log/lastlog
  • /var/account/*

Internet Attack Methods

• Exploitation of vulnerabilities in vendor programs.
• Exploitation of cgi-bin vulnerabilities.
• Email bombing, spamming and relaying through other sites.
• Exploitation of misconfigured anonymous FTP and web servers.
• Exploitation of named/BIND vulnerabilities.
• Exploitation of mail transfer agents and mail readers.
• Denial of Services (DoS) attacks using various methods.
• Sending hostile code and attack programs as mail attachments or browsed page contents.

Incident Response

• Don't panic!
• Evaluate the situation
  • Has attacker succeeded?
  • Is the attack in progress?
• Follow your organization’s policies and procedures,
• Use the appropriate chain of command when notifying other people or organizations.
• Contact incident response agencies appropriate for your site
• Make communication via an out-of-band method (e.g., a phone call) to ensure intruders do not intercept information.
• Document your actions
  • persons contacted
  • phone calls made
  • files modified
  • system jobs stopped
• Snapshot the system
• Make copies of files the intruders may have left or touched and store them off-line.
  • Malicious code
  • Log files
• If you are unsure of what actions to take, seek additional help and guidance before removing files or halting system processes.
• Involve security department
  • Physical access
  • Insider
  • Law enforcement officers
• Plan

Incident Response Centers

GRNET-CERT

Computer Emergency Responce Team for the Greek National Research Network

E-Mail: grnet-cert@grnet.gr (mailto:grnet-cert@grnet.gr)

Network Operations Center, University of the Aegean, 30 Voulgaroktonou str, Athens 114 72, Greece

Telephone: +30 - 210 - 649 - 2056
Telefax: +30 - 210 - 649 - 2499
World Wide Web: http://cert.grnet.gr (http://cert.grnet.gr)

Network Management Center
National Technical University of Athens
Iroon Polytechnioy 9
Zografou, GR 157 80
Athens
Greece
phone [+30-210] 772.1860
fax [+30-210] 772.1866
http://www.ntua.gr/grnet-cert/grnet-cert.html (http://www.ntua.gr/grnet-cert/grnet-cert.html)

Management-related Security Problems

• No dedicated staff
• Insufficient resources
• Lack of management support
• Staff with no authority to deploy appropriate security measures
• Failure to install vendor patches for known security problems.
• No monitoring and restricting network access to internal hosts.
• Not using sufficient authentication and authorization systems for remote access.
• Failure to implement or enforce procedures and standards when installing new devices on the network.
• Security through obscurity

Software Installation Practices

• remove unnecessary software,
• turn off unneeded services,
• close extraneous ports.

Authentication Practices

• Audit the accounts on your systems and create a master list
• Develop procedures for adding authorized accounts to the list, and for removing accounts when they are no longer in use.
• Validate the list on a regular basis to make sure no new accounts have been added and that unused accounts have been removed.
• Run a password cracking tool against the accounts looking for weak or no passwords. (Make sure you have official written permission before employing a password cracking tool.)
• Train users
• Install password checking tools
• Use alternative authentication methods

Backup Practices

• Inventory critical systems
• Are there backup procedures for those systems?
• Is the backup interval acceptable?
• Are those systems being backed up according to the procedures?
• Has the backup media been verified to make sure the data is being backed up accurately?
• Is the backup media properly protected in-house and with off-site storage?
• Are there copies of the operating system and any restoration utilities stored off-site (including necessary license keys)?
• Have restoration procedures been validated and tested?

Port Filtering Practices

• Configure router
• Install a firewall
• Use a port scanner (e.g. nmap, netstat)
• Turn-off services (/etc/inetd.conf, /etc/rc*, services)

Evaluating Vulnerabilities

• Systems impacted
• How to determine if we are vulnerable
• How to protect against it

Common Unix Vulnerabilities

• U1 BIND Domain Name System
• U2 Web Server
• U3 Authentication
• U4 Version Control Systems
• U5 Mail Transport Service
• U6 Simple Network Management Protocol (SNMP)
• U7 Open Secure Sockets Layer (SSL)
• U8 Misconfiguration of Enterprise Services NIS/NFS
• U9 Databases
• U10 Kernel

Common Windows Vulnerabilities

• W1 Web Servers and Services
• W2 Workstation Service
• W3 Windows Remote Access Services
• W4 Microsoft SQL Server (MSSQL)
• W5 Windows Authentication
• W6 Web Browsers
• W7 File-Sharing Applications
• W8 LSAS Exposures
• W9 Mail Client
• W10 Instant Messaging

Home-user Tips

• Use strong passwords.
• Make regular backups of critical data.
• Use virus protection software.
• Use a firewall as a gatekeeper between your computer and the Internet.
• Do not keep computers online when not in use.
• Do not open e-mail attachments from strangers or suspicious attachments.
• Regularly download security patches from your software vendors.

System Administrator Best Practices

• Knowledge update
• System and console - physical security
• Keep your systems lean and mean
• Superuser password
• Delegating superuser tasks
• User passwords
• User terminals
• Restrict users (shell, remote access)
• User education
• Keep your systems up to date
• Vulnerability testing
• Monitor your systems periodically
• Configuration documentation
• Backup and disaster recovery

Low-cost Security Improvements

• Document and publish what you expect your system support staff to do with respect to security.
• Configure your border routers to deny all unnecessary incoming traffic.
• Identify and protect your most valuable assets first.
• Secure the perimeter and core systems.
• Simplify.
• Use freeware vulnerability assessment tools to conduct a self-assessment of your network and computers. Publish the results internally to management staff.
• Install freeware host and network based auditing and traffic analysis tools on critical hosts.
• Monitor output and logs on a daily basis.

Free Tool Repositories

• ftp://ciac.llnl.gov/pub/ciac/sectools/unix/ (ftp://ciac.llnl.gov/pub/ciac/sectools/unix/)
• ftp://ftp.cerias.purdue.edu (ftp://ftp.cerias.purdue.edu)
• ftp://ftp.cert.org/pub/tools/ (ftp://ftp.cert.org/pub/tools/)
• ftp://ftp.win.tue.nl/pub/security/ (ftp://ftp.win.tue.nl/pub/security/)
• ftp://ftp.funet.fi/pub/unix/security/ (ftp://ftp.funet.fi/pub/unix/security/)

Security Web Sites

• http://www.sans.org/ (http://www.sans.org/)
• http://www.cerias.purdue.edu (http://www.cerias.purdue.edu)
• http://java.sun.com/security/ (http://java.sun.com/security/)
• http://www.telstra.com.au/info/security.html (http://www.telstra.com.au/info/security.html)
• http://www.ntbugtraq.com/ (http://www.ntbugtraq.com/)
• http://www.nsi.org/compsec.html (http://www.nsi.org/compsec.html)
• http://www.securityportal.com (http://www.securityportal.com)
• NSA's Operating System Configuration Guidelines (http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1)
• http://www.icsa.net/ (http://www.icsa.net/)
• http://www.tno.nl/instit/fel/intern/wkinfsec.html (http://www.tno.nl/instit/fel/intern/wkinfsec.html)
• http://l0pht.com/ (http://l0pht.com/)
• ftp://ftp.porcupine.org/pub/security/index.html (ftp://ftp.porcupine.org/pub/security/index.html)
• http://www.boran.com/security/ (http://www.boran.com/security/)
• http://www.cordis.lu/infosec/ (http://www.cordis.lu/infosec/)
• http://www.dpa.gr/ (http://www.dpa.gr/)
• http://www.itpolicy.gsa.gov/ (http://www.itpolicy.gsa.gov/)
• http://www.cit.nih.gov/security.html (http://www.cit.nih.gov/security.html)
• http://cs-www.ncsl.nist.gov/ (http://cs-www.ncsl.nist.gov/)
• http://www.phrack.com/ (http://www.phrack.com/)
• http://www.2600.com/ (http://www.2600.com/)

Security Books

• Firewalls and Internet Security by Bill Cheswick and Steve Bellovin

• Practical UNIX and Internet Security, 2nd Edition by Simson Garfinkel and Gene Spafford

• Ross Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York, 2001.

• Friedrich L. Bauer. Decrypted Secrets: Methods and Maxims of Cryptology. Springer Verlag, 1997.

• Dorothy Elizabeth Robling Denning. Cryptography and Data Security. Addison-Wesley, 1983.

• Peter J. Denning. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990.

• Tom Forester and Perry Morrison. Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. MIT Press, Cambridge, 1990.

• Dieter Gollmann. Computer Security. John Wiley & Sons, New York, 1999.

• Michael Howard and David LeBlanc. Writing Secure Code. Microsoft Press, Redmond, WA, second edition, 2003.

• David Kahn. The Codebreakers: The Story of Secret Writing. Scribner, New York, 1996.

• Gary McGraw and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. Wiley, New York, 1999.

• Peter G. Neumann. Computer Related Risks. Addison-Wesley, 1995.

• David L. Oppenheimer, David A. Wagner, and Michele D. Crabb. System Security: A Management Perspective. Short Topics in System Administration. USENIX Association, Berkeley, CA, 1997.

• Eric Rescorla. SSL and TLS. Addison-Wesley, 2001.

• Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. Web Security Sourcebook. John Wiley & Sons, New York, 1997.

• Bruce Schneier. Applied Cryptography. Wiley, New York, second edition, 1996.

• Bruce Schneier. Secrets & Lies: Digital Security in a Networked World. Wiley Computer Publishing, New York, 2000.

• John Viega and Gary McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2001.

• Elizabeth Zwicky, Simon Cooper, and D. Brent Chapman. Building Internet Firewalls. O'Reilly and Associates, Sebastopol, CA, second edition, 2000.

Articles

• Anish Bhinami. Securing the commercial internet. Communications of the ACM, 39(6):29–35, June 1996.

• Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. Model for evaluating security investments. Communications of the ACM, 47(7):87–92, July 2004.

• Commission of the European Communities. Glossary of information systems security. DGXIII, INFOSEC Programme/S2001, 1993.

• Commission of the European Communities. Risk analysis methods database. DGXIII, INFOSEC Programme/S2014, 1993.

• United Kingdom Central Computer and Telecommunication Agency, United Kingdom. CCTA Risk Analysis and Management Method: User Manual., version 3.0 edition, 1996. HMSO.

• Eric Dubois and Suchun Wu. A framework for dealing with and specifying security requirements in information systems. In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information Systems Security: Facing the information society of the 21st century, pages 88–99. Chapman & Hall, 1996.

• C. Ellison and B. Schneier. Ten risks of pki: What you're not being told about public key infrastructure. Computer Security Journal, 16(1):1–7, 2000.

• J. H. P. Eloff, L. Labuschagne, and K. P. Badenhorst. A comparative framework for risk analysis methods. Computers & Security, 12(6):597–603, October 1993.

• M. E. Kabay. The NCSA Guide ot Enterprise Security: Protecting Information Assets. McGraw-Hill, 1996.

• Ravi Sandhu, Edward Coyne, Hal Feinstein, and Charles Youman. Role-based access control: A multi-dimensional view. In 10th Annual Computer Security Applications Conference, pages 54–62. IEEE Computer Society Press, 1994.

• Richard G. Wilsher and Helmut Kurth. Security assurance in information systems. In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information Systems Security: Facing the information society of the 21st century, pages 74–87. Chapman & Hall, 1996.

• Contents

 Last change: Sunday, October 30, 2005 10:39 pm
 Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.