REVIEW: "Computer Security: Principles and Practice", William Stallings/Lawrie Brown

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>]

BKCMSCPP.RVW   20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A   William Stallings williamstallings.com/CompSec/CompSec1e.html
%A   Lawrie Brown
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2008
%G   0-13-600424-5 978-0-13-600424-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   798 p.
%T   "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security.  The work is also addressed
to professionals as a basic reference.  In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above.  Chapter one defines fundamental security terms
and concepts from various sources.  The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material.  There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles. 
Chapter two introduces cryptographic tools.  The basic ideas of
cryptography are presented, but one must go to other chapters and
appendices for details and usage of the technology.  This structure is
unusual in cryptographic literature, but the new perspective may
demonstrate somewhat stale abstractions in a fresh way.  It is rather
odd that the coverage of authentication, in chapter three, does not
note the IAAA model of Identification, Authentication, Authorization,
and Accountability.  Access control, in chapter four, is limited to
data access.  ( The authors also follow the original paper describing
Role-Based Access Control as a form of mandatory access control, even
though RBAC is now frequently used in discretionary access control
environments.)  Chapter five's discussion of database security
emphasizes the theoretical aspects of that specialty.  Intrusion
detection is introduced in chapter six.  Malicious software is given a
scholarly, rather than practical, treatment in chapter seven, but the
content is more accurate than is usual even in the security
literature.  Denial of service attacks are addressed in chapter eight. 
Chapter nine's review of firewalls concentrates, almost exclusively,
on stateful inspection, and the material on intrusion prevention
systems repeats, to a large extent, chapter six.  Trusted computing
and multilevel security, in chapter ten, are discussed in terms of
formal security models and security architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues.  These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as
good as one might expect from the author of "Cryptography and Network
Security" (cf. BKCRNTSC.RVW).  Symmetric encryption and message
confidentiality, illustrated by the Data Encryption Standard and the
advanced Encryption Standard, is the topic of chapter nineteen. 
Asymmetric cryptography and hashes are in twenty.

Part five turns to Internet security.  Some Internet security
protocols and standards are listed in chapter twenty-one.  A detailed
look at Kerberos leads off chapter twenty-two's examination of
authentication applications.

Operating systems security is the subject of part six, with a look at
the Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number
theory, pseudorandom number generation, projects for teaching
security, standards and standards organizations, and the TCP/IP
protocol suite.

Of the various domains of information systems security, there is
limited material in regard to the security implications of various
aspects of computer hardware and architecture, the formation of an
architectural model for security design, and business continuity
planning.  Otherwise, however, the coverage is quite comprehensive,
much more so than in other course texts such as Gollman's excellent
but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather
abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and
Stamp's interesting, but sometimes spotty, "Information Security:
Principles and Practice" (cf. BKINSCPP.RVW).  Anderson's "Security
Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text,
but also a useful professional reference, and Stalling and Brown might
wish to examine the practical issues dealt with in that work.  A range
of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly
in a single volume.  There is also the "Official (ISC)^2 Guide to the
CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to
the CISSP CBK," but Stalling and Brown's work, while less broad and
detailed, is more academically rigorous.

copyright Robert M. Slade, 2008   BKCMSCPP.RVW   20080204


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Without censorship, things can get terribly confused in the
public mind.                  -  General William Westmoreland, 1960s
http://victoria.tc.ca/techrev/rms.htm
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.