BKINSCPP.RVW 20051112 "Information Security: Principles and Practice", Mark Stamp, 2006, 0-471-73848-4 %A Mark Stamp stamp@cs.sjsu.edu %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2006 %G 0-471-73848-4 %I John Wiley & Sons, Inc. %O U$74.95/C$96.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471738484/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471738484/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471738484/robsladesin03-20 %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 390 p. %T "Information Security: Principles and Practice" The preface stresses that the material in this book is intended to provide not only the formal concepts for security, but also advice for the real world. Security is addressed overall, but the work concentrates on cryptography, access controls, and software issues. (The author also adds a discussion of protocols. It is hard to see this as a separate issue, rather than simple implementation details of the other concepts.) The audience is not explicitly stated, but both security professionals and the idea of using the volume as a course text are mentioned. Chapter one is an introduction. Stamp will strike a very sympathetic chord with many support and security people when he adds a requirement to the normal list of security questions: can the system survive "clever" users? A set of problems are given at the end of the chapter. In contrast to the usual "reading checks," these are thoughtful items, intended to determine if the reader has understood the underlying concepts, and to start discussion. Part one addresses cryptography. Chapter two provides the basics, outlining some terms, theory, and history. Functions and algorithms of symmetric key cryptography are explained in chapter three, including some discussion of the controversy over the National Security Agency's role in the development of the Data Encryption Standard. (Stamp points out the weaknesses in the conspiracy theory. It is worth noting that Stamp used to work for the NSA :-) There are some fascinating additions to the usual material for this topic. Asymmetric algorithms and concepts, again with some interesting notes, are given in chapter four. Chapter five deals with hash functions and related topics (and also has a brief mention of steganography). Advanced cryptanalytic attacks are outlined in chapter six. (Those wanting to pursue this topic *will* have to brush up on their math.) Part two looks at access control. Chapter seven provides a reasonably complete look at direct authentication issues and technologies. The material on authorization, in chapter eight, extends the normal view of that topic by pointing out the advantages of capability lists and the fact that our basic security models are actually those of authorization. However, Stamp also includes some technologies, such as firewalls and intrusion detection systems, that have only a tenuous connection to authorization. Part three examines protocols. Chapter nine discusses simple authentication schemes, most relying on some kind of challenge- response system and encryption of some type. Although the writing is clear (and even amusing), Stamp dives into mathematics, sometimes at crucial moments and without fully explaining the base concepts. For real world security protocols, chapter ten looks at SSL (Secure Sockets Layer) and Kerberos, and also examines IPSec and GSM in some depth, pointing out the weaknesses in design. Part four deals with software. Chapter eleven explains buffer overflows and other attacks, and also discusses malware. (Stamp makes a rather odd mistake in calling the third type of malware detection "anomaly detection" rather than the more usual activity monitoring. However, the definition of the term fits activity monitoring properly.) Tamper resistance and software testing are legitimately part of software security, but chapter twelve also deals extensively with digital rights management (DRM) which seems to apply more to data protection. The DRM theme is extended in chapter thirteen which addresses operating system security functions, but also discusses Microsoft's upcoming Next Generation Secure Computing Base, which many feel is more applicable to DRM than any real security needs. An appendix provides an overview of networking, particularly TCP/IP, and network security issues. While not a complete coverage of security, this book has some excellent material on the subjects it covers. With limited exceptions, Stamp's writing is clear, and frequently amusing. (Unlike all too many works that try to inject humour into the security topic, Stamp's quips are not irrelevant or distracting, but often help to address or solidify concepts.) The cryptography section is particularly good, providing items of fairly contemporary cryptological history. The references are well chosen, and a great many are available on the Web, furnishing a rich source of items for further study, or general resources. I can easily recommend this text for those interested in cryptography, and it makes some good points with regard to software security, as well. But you can't have my copy. This one I'm keeping. copyright Robert M. Slade, 2005 BKINSCPP.RVW 20051112