Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Computer Security: Principles and Practice", William Stallings/Lawrie Brown

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKCMSCPP.RVW 20080204 Computer Security: Principles and Practice , William Stallings/Lawrie Brown, 2008, 978-0-13-600424-0 %A William Stallings
    Message 1 of 1 , Apr 14 1:34 PM
    View Source
    • 0 Attachment
      BKCMSCPP.RVW 20080204

      "Computer Security: Principles and Practice", William Stallings/Lawrie
      Brown, 2008, 978-0-13-600424-0
      %A William Stallings williamstallings.com/CompSec/CompSec1e.html
      %A Lawrie Brown
      %C One Lake St., Upper Saddle River, NJ 07458
      %D 2008
      %G 0-13-600424-5 978-0-13-600424-0
      %I Prentice Hall
      %O 800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
      %O http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
      %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
      %P 798 p.
      %T "Computer Security: Principles and Practice"

      I am woefully laggard in getting this review out, particularly since I
      reviewed the text in process, last fall, and therefore have to declare
      a possibility of bias.

      The preface states that the book is intended as the text for a one- or
      two-semester course in computer security. The work is also addressed
      to professionals as a basic reference. In that latter regard it may
      come up short, missing elements of infrastructure, fire protection,
      investigation, forensics, and being rather weak in terms of
      architecture and business continuity planning.

      There is a rather interesting chapter zero in the volume (it and
      chapter one are presumably "part zero," which is sound computing
      theory, but somewhat bemusing in a book) laying out the structure of
      the text, as well as pointing to the technical resource and course
      Website, noted above. Chapter one defines fundamental security terms
      and concepts from various sources. The list is comprehensive, but,
      given sometimes conflicting positions, little attempt is made to
      analyze, integrate, or unify the material. There is an excellent set
      of references and a solid set of questions and problems, as well as a
      brief appendix addressing security standards and documents.

      Part one involves computer security technology and principles.
      Chapter two introduces cryptographic tools. The basic ideas of
      cryptography are presented, but one must go to other chapters and
      appendices for details and usage of the technology. This structure is
      unusual in cryptographic literature, but the new perspective may
      demonstrate somewhat stale abstractions in a fresh way. It is rather
      odd that the coverage of authentication, in chapter three, does not
      note the IAAA model of Identification, Authentication, Authorization,
      and Accountability. Access control, in chapter four, is limited to
      data access. ( The authors also follow the original paper describing
      Role-Based Access Control as a form of mandatory access control, even
      though RBAC is now frequently used in discretionary access control
      environments.) Chapter five's discussion of database security
      emphasizes the theoretical aspects of that specialty. Intrusion
      detection is introduced in chapter six. Malicious software is given a
      scholarly, rather than practical, treatment in chapter seven, but the
      content is more accurate than is usual even in the security
      literature. Denial of service attacks are addressed in chapter eight.
      Chapter nine's review of firewalls concentrates, almost exclusively,
      on stateful inspection, and the material on intrusion prevention
      systems repeats, to a large extent, chapter six. Trusted computing
      and multilevel security, in chapter ten, are discussed in terms of
      formal security models and security architecture.

      Part two deals with software security, with chapter eleven being
      devoted to the topic of buffer overflows, and the other software
      subjects covered comprising chapter twelve.

      Part three contains topics the authors consider to be management
      issues. These are (in order through chapters thirteen to eighteen),
      physical and infrastructure security, human factors (primarily policy
      and awareness concerns), auditing security management and risk
      assessment, security controls (plans and procedures), and legal and
      ethical aspects.

      Part four details cryptographic algorithms, and the material is as
      good as one might expect from the author of "Cryptography and Network
      Security" (cf. BKCRNTSC.RVW). Symmetric encryption and message
      confidentiality, illustrated by the Data Encryption Standard and the
      advanced Encryption Standard, is the topic of chapter nineteen.
      Asymmetric cryptography and hashes are in twenty.

      Part five turns to Internet security. Some Internet security
      protocols and standards are listed in chapter twenty-one. A detailed
      look at Kerberos leads off chapter twenty-two's examination of
      authentication applications.

      Operating systems security is the subject of part six, with a look at
      the Linux model in chapter twenty-three, and Windows in twenty-four.

      Appendices at the end of the book provide information on number
      theory, pseudorandom number generation, projects for teaching
      security, standards and standards organizations, and the TCP/IP
      protocol suite.

      Of the various domains of information systems security, there is
      limited material in regard to the security implications of various
      aspects of computer hardware and architecture, the formation of an
      architectural model for security design, and business continuity
      planning. Otherwise, however, the coverage is quite comprehensive,
      much more so than in other course texts such as Gollman's excellent
      but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather
      abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and
      Stamp's interesting, but sometimes spotty, "Information Security:
      Principles and Practice" (cf. BKINSCPP.RVW). Anderson's "Security
      Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text,
      but also a useful professional reference, and Stalling and Brown might
      wish to examine the practical issues dealt with in that work. A range
      of editions of the "Information Security Management Handbook" (cf.
      BKINSCMH.RVW) would have similar overview, and more detail, but hardly
      in a single volume. There is also the "Official (ISC)^2 Guide to the
      CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to
      the CISSP CBK," but Stalling and Brown's work, while less broad and
      detailed, is more academically rigorous.

      copyright Robert M. Slade, 2008 BKCMSCPP.RVW 20080204


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      I'm all in favor of keeping dangerous weapons out of the hands of
      fools. Let's start with typewriters. - Frank Lloyd Wright
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.