BKSCCMTS.RVW 971109 "Secure Computing: Threats and Safeguards", Rita C. Summers, 1997, 0-07-069419-2, C$87.95 %A Rita C. Summers %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 1997 %G 0-07-069419-2 %I McGraw-Hill Ryerson/Osborne %O C$87.95 905-430-5000 +1-800-565-5758 +1-905-430-5134 %O fax: 905-430-5020 louisea@McGrawHill.ca lisah@McGrawHill.ca %P 688 p. %T "Secure Computing: Threats and Safeguards" This work is intended as a general, and mostly complete, coverage of all computer security topics. The author wishes to avoid the problem of a number of specialized works that address only isolated subjects within the field of security. The work is also intended for all audiences: developers, purchasers, security experts, managers, students, computer professionals, and even users. Just about everyone, it seems, except the non computer-using public at large. The book does provide a broad overview, looking at a general introduction to concepts, the context for security, threats, policies, models, cryptography, secure design and implementation, architecture and operating systems, security services, database security, network security, distributed systems, management, and analysis. Within those topics are included such diverse elements as ethics and physical security. The content is said to cover the topics to a "moderate depth." This depends upon what topic is being addressed. Theoretical areas are dealt with in mathematical detail. More practical subjects get rather short shrift. There is a very definite "large system" bias in the work: the author's tenure at IBM will surprise nobody. The book, while not completely disorganized, feels rather confused. This may be because, while the first four chapters are collectively referred to as "Foundations," in many ways the entire book is one long backgrounder. Chapter four is entitled "Policies and Models" but chapter twelve, on management, is much more appropriate as a guide to what a security policy has to deal with and take account of. (Ironically, the one place in the book that does suggest that the question is better dealt with in a later section of the book is in the section on viruses, which says that chapters eight and twelve provide more detailed information on antiviral safeguards. Chapters eight and twelve have nothing significant to say about the topic.) References are listed at the end of each chapter, both as a collection of works in bibliographic format, and in a section by section annotation of suggested further readings. While a large number of the citations are to magazine and periodical articles, a very healthy selection of superior books are included as well. There are a series of exercises at the end of each chapter. Commendably few of these questions are simply tests of whether you have read the material and can find the right page to copy the answer. Most of them pose problems or questions for discussion and reflection. However, in some cases I noted queries that were very open-ended, or that admitted a large variety of answers depending upon your interpretation of the question. In some other cases the material presented in the chapter was not sufficient to properly deal with the exercise. Although Summers seems to be quite proud of producing what she considers to be a very readable text, the writing is quite dry. Perhaps in an attempt to "write down" to non-experts, the author sometimes includes statements that are profoundly trivial, such as the assertion in chapter four that a "computer security policy is expressed in a language such as Spanish or English or Japanese." While the point that natural language is not as precise as mathematics might be valid, even in English it could be written better than that. The section on computer viruses is quite weak. An old definition is used that excludes boot sector infectors and macro viruses, but these infectors are discussed within pages without note of the disparity. Most of the research done in this area seems to be quite dated: a virus prevalence survey from 1992 is cited that gives rates orders of magnitude lower than currently seen. "Free software" and bulletin boards are cited as possible sources (as usual), although surrounding sentences note that any sharing of disks and even commercial software can be viral vectors. Although not as pronounced, similar weaknesses can be found in other technical sections. The chapter on cryptography is "by the book" and while it does provide algorithms for many encryption methods it doesn't address real issues of relative strength and weakness in different methods. Overall, the book provides a broad, but pedestrian, overview of data and system security. It might best be recommended to students in university and college courses on the topic. copyright Robert M. Slade, 1997 BKSCCMTS.RVW 971109