Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Information Security: Principles and Practice", Mark Stamp

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKINSCPP.RVW 20051112 Information Security: Principles and Practice , Mark Stamp, 2006, 0-471-73848-4 %A Mark Stamp stamp@cs.sjsu.edu %C 5353 Dundas
    Message 1 of 1 , Feb 15, 2006
      BKINSCPP.RVW 20051112

      "Information Security: Principles and Practice", Mark Stamp, 2006,
      %A Mark Stamp stamp@...
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2006
      %G 0-471-73848-4
      %I John Wiley & Sons, Inc.
      %O U$74.95/C$96.99 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471738484/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0471738484/robsladesin03-20
      %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
      %P 390 p.
      %T "Information Security: Principles and Practice"

      The preface stresses that the material in this book is intended to
      provide not only the formal concepts for security, but also advice for
      the real world. Security is addressed overall, but the work
      concentrates on cryptography, access controls, and software issues.
      (The author also adds a discussion of protocols. It is hard to see
      this as a separate issue, rather than simple implementation details of
      the other concepts.) The audience is not explicitly stated, but both
      security professionals and the idea of using the volume as a course
      text are mentioned.

      Chapter one is an introduction. Stamp will strike a very sympathetic
      chord with many support and security people when he adds a requirement
      to the normal list of security questions: can the system survive
      "clever" users? A set of problems are given at the end of the
      chapter. In contrast to the usual "reading checks," these are
      thoughtful items, intended to determine if the reader has understood
      the underlying concepts, and to start discussion.

      Part one addresses cryptography. Chapter two provides the basics,
      outlining some terms, theory, and history. Functions and algorithms
      of symmetric key cryptography are explained in chapter three,
      including some discussion of the controversy over the National
      Security Agency's role in the development of the Data Encryption
      Standard. (Stamp points out the weaknesses in the conspiracy theory.
      It is worth noting that Stamp used to work for the NSA :-) There are
      some fascinating additions to the usual material for this topic.
      Asymmetric algorithms and concepts, again with some interesting notes,
      are given in chapter four. Chapter five deals with hash functions and
      related topics (and also has a brief mention of steganography).
      Advanced cryptanalytic attacks are outlined in chapter six. (Those
      wanting to pursue this topic *will* have to brush up on their math.)

      Part two looks at access control. Chapter seven provides a reasonably
      complete look at direct authentication issues and technologies. The
      material on authorization, in chapter eight, extends the normal view
      of that topic by pointing out the advantages of capability lists and
      the fact that our basic security models are actually those of
      authorization. However, Stamp also includes some technologies, such
      as firewalls and intrusion detection systems, that have only a tenuous
      connection to authorization.

      Part three examines protocols. Chapter nine discusses simple
      authentication schemes, most relying on some kind of challenge-
      response system and encryption of some type. Although the writing is
      clear (and even amusing), Stamp dives into mathematics, sometimes at
      crucial moments and without fully explaining the base concepts. For
      real world security protocols, chapter ten looks at SSL (Secure
      Sockets Layer) and Kerberos, and also examines IPSec and GSM in some
      depth, pointing out the weaknesses in design.

      Part four deals with software. Chapter eleven explains buffer
      overflows and other attacks, and also discusses malware. (Stamp makes
      a rather odd mistake in calling the third type of malware detection
      "anomaly detection" rather than the more usual activity monitoring.
      However, the definition of the term fits activity monitoring
      properly.) Tamper resistance and software testing are legitimately
      part of software security, but chapter twelve also deals extensively
      with digital rights management (DRM) which seems to apply more to data
      protection. The DRM theme is extended in chapter thirteen which
      addresses operating system security functions, but also discusses
      Microsoft's upcoming Next Generation Secure Computing Base, which many
      feel is more applicable to DRM than any real security needs.

      An appendix provides an overview of networking, particularly TCP/IP,
      and network security issues.

      While not a complete coverage of security, this book has some
      excellent material on the subjects it covers. With limited
      exceptions, Stamp's writing is clear, and frequently amusing. (Unlike
      all too many works that try to inject humour into the security topic,
      Stamp's quips are not irrelevant or distracting, but often help to
      address or solidify concepts.) The cryptography section is
      particularly good, providing items of fairly contemporary
      cryptological history. The references are well chosen, and a great
      many are available on the Web, furnishing a rich source of items for
      further study, or general resources. I can easily recommend this text
      for those interested in cryptography, and it makes some good points
      with regard to software security, as well.

      But you can't have my copy. This one I'm keeping.

      copyright Robert M. Slade, 2005 BKINSCPP.RVW 20051112

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      To be or not to be: that is the question, whether its nobler in
      the mind to suffer the slings and arrows of outrageous fortune.
      In one of the Bard's best-thought-of tragedies, our insistent
      hero, Hamlet, queries on two fronts about how life turns rotten.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.