REVIEW: "Information Security: Principles and Practice", Mark Stamp
- BKINSCPP.RVW 20051112
"Information Security: Principles and Practice", Mark Stamp, 2006,
%A Mark Stamp stamp@...
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$74.95/C$96.99 416-236-4433 fax: 416-236-4448
%O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 390 p.
%T "Information Security: Principles and Practice"
The preface stresses that the material in this book is intended to
provide not only the formal concepts for security, but also advice for
the real world. Security is addressed overall, but the work
concentrates on cryptography, access controls, and software issues.
(The author also adds a discussion of protocols. It is hard to see
this as a separate issue, rather than simple implementation details of
the other concepts.) The audience is not explicitly stated, but both
security professionals and the idea of using the volume as a course
text are mentioned.
Chapter one is an introduction. Stamp will strike a very sympathetic
chord with many support and security people when he adds a requirement
to the normal list of security questions: can the system survive
"clever" users? A set of problems are given at the end of the
chapter. In contrast to the usual "reading checks," these are
thoughtful items, intended to determine if the reader has understood
the underlying concepts, and to start discussion.
Part one addresses cryptography. Chapter two provides the basics,
outlining some terms, theory, and history. Functions and algorithms
of symmetric key cryptography are explained in chapter three,
including some discussion of the controversy over the National
Security Agency's role in the development of the Data Encryption
Standard. (Stamp points out the weaknesses in the conspiracy theory.
It is worth noting that Stamp used to work for the NSA :-) There are
some fascinating additions to the usual material for this topic.
Asymmetric algorithms and concepts, again with some interesting notes,
are given in chapter four. Chapter five deals with hash functions and
related topics (and also has a brief mention of steganography).
Advanced cryptanalytic attacks are outlined in chapter six. (Those
wanting to pursue this topic *will* have to brush up on their math.)
Part two looks at access control. Chapter seven provides a reasonably
complete look at direct authentication issues and technologies. The
material on authorization, in chapter eight, extends the normal view
of that topic by pointing out the advantages of capability lists and
the fact that our basic security models are actually those of
authorization. However, Stamp also includes some technologies, such
as firewalls and intrusion detection systems, that have only a tenuous
connection to authorization.
Part three examines protocols. Chapter nine discusses simple
authentication schemes, most relying on some kind of challenge-
response system and encryption of some type. Although the writing is
clear (and even amusing), Stamp dives into mathematics, sometimes at
crucial moments and without fully explaining the base concepts. For
real world security protocols, chapter ten looks at SSL (Secure
Sockets Layer) and Kerberos, and also examines IPSec and GSM in some
depth, pointing out the weaknesses in design.
Part four deals with software. Chapter eleven explains buffer
overflows and other attacks, and also discusses malware. (Stamp makes
a rather odd mistake in calling the third type of malware detection
"anomaly detection" rather than the more usual activity monitoring.
However, the definition of the term fits activity monitoring
properly.) Tamper resistance and software testing are legitimately
part of software security, but chapter twelve also deals extensively
with digital rights management (DRM) which seems to apply more to data
protection. The DRM theme is extended in chapter thirteen which
addresses operating system security functions, but also discusses
Microsoft's upcoming Next Generation Secure Computing Base, which many
feel is more applicable to DRM than any real security needs.
An appendix provides an overview of networking, particularly TCP/IP,
and network security issues.
While not a complete coverage of security, this book has some
excellent material on the subjects it covers. With limited
exceptions, Stamp's writing is clear, and frequently amusing. (Unlike
all too many works that try to inject humour into the security topic,
Stamp's quips are not irrelevant or distracting, but often help to
address or solidify concepts.) The cryptography section is
particularly good, providing items of fairly contemporary
cryptological history. The references are well chosen, and a great
many are available on the Web, furnishing a rich source of items for
further study, or general resources. I can easily recommend this text
for those interested in cryptography, and it makes some good points
with regard to software security, as well.
But you can't have my copy. This one I'm keeping.
copyright Robert M. Slade, 2005 BKINSCPP.RVW 20051112
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
To be or not to be: that is the question, whether its nobler in
the mind to suffer the slings and arrows of outrageous fortune.
In one of the Bard's best-thought-of tragedies, our insistent
hero, Hamlet, queries on two fronts about how life turns rotten.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade