BKCMSCPP.RVW 20080204 "Computer Security: Principles and Practice", William Stallings/Lawrie Brown, 2008, 978-0-13-600424-0 %A William Stallings williamstallings.com/CompSec/CompSec1e.html %A Lawrie Brown %C One Lake St., Upper Saddle River, NJ 07458 %D 2008 %G 0-13-600424-5 978-0-13-600424-0 %I Prentice Hall %O 800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20 %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 798 p. %T "Computer Security: Principles and Practice" I am woefully laggard in getting this review out, particularly since I reviewed the text in process, last fall, and therefore have to declare a possibility of bias. The preface states that the book is intended as the text for a one- or two-semester course in computer security. The work is also addressed to professionals as a basic reference. In that latter regard it may come up short, missing elements of infrastructure, fire protection, investigation, forensics, and being rather weak in terms of architecture and business continuity planning. There is a rather interesting chapter zero in the volume (it and chapter one are presumably "part zero," which is sound computing theory, but somewhat bemusing in a book) laying out the structure of the text, as well as pointing to the technical resource and course Website, noted above. Chapter one defines fundamental security terms and concepts from various sources. The list is comprehensive, but, given sometimes conflicting positions, little attempt is made to analyze, integrate, or unify the material. There is an excellent set of references and a solid set of questions and problems, as well as a brief appendix addressing security standards and documents. Part one involves computer security technology and principles. Chapter two introduces cryptographic tools. The basic ideas of cryptography are presented, but one must go to other chapters and appendices for details and usage of the technology. This structure is unusual in cryptographic literature, but the new perspective may demonstrate somewhat stale abstractions in a fresh way. It is rather odd that the coverage of authentication, in chapter three, does not note the IAAA model of Identification, Authentication, Authorization, and Accountability. Access control, in chapter four, is limited to data access. ( The authors also follow the original paper describing Role-Based Access Control as a form of mandatory access control, even though RBAC is now frequently used in discretionary access control environments.) Chapter five's discussion of database security emphasizes the theoretical aspects of that specialty. Intrusion detection is introduced in chapter six. Malicious software is given a scholarly, rather than practical, treatment in chapter seven, but the content is more accurate than is usual even in the security literature. Denial of service attacks are addressed in chapter eight. Chapter nine's review of firewalls concentrates, almost exclusively, on stateful inspection, and the material on intrusion prevention systems repeats, to a large extent, chapter six. Trusted computing and multilevel security, in chapter ten, are discussed in terms of formal security models and security architecture. Part two deals with software security, with chapter eleven being devoted to the topic of buffer overflows, and the other software subjects covered comprising chapter twelve. Part three contains topics the authors consider to be management issues. These are (in order through chapters thirteen to eighteen), physical and infrastructure security, human factors (primarily policy and awareness concerns), auditing security management and risk assessment, security controls (plans and procedures), and legal and ethical aspects. Part four details cryptographic algorithms, and the material is as good as one might expect from the author of "Cryptography and Network Security" (cf. BKCRNTSC.RVW). Symmetric encryption and message confidentiality, illustrated by the Data Encryption Standard and the advanced Encryption Standard, is the topic of chapter nineteen. Asymmetric cryptography and hashes are in twenty. Part five turns to Internet security. Some Internet security protocols and standards are listed in chapter twenty-one. A detailed look at Kerberos leads off chapter twenty-two's examination of authentication applications. Operating systems security is the subject of part six, with a look at the Linux model in chapter twenty-three, and Windows in twenty-four. Appendices at the end of the book provide information on number theory, pseudorandom number generation, projects for teaching security, standards and standards organizations, and the TCP/IP protocol suite. Of the various domains of information systems security, there is limited material in regard to the security implications of various aspects of computer hardware and architecture, the formation of an architectural model for security design, and business continuity planning. Otherwise, however, the coverage is quite comprehensive, much more so than in other course texts such as Gollman's excellent but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and Stamp's interesting, but sometimes spotty, "Information Security: Principles and Practice" (cf. BKINSCPP.RVW). Anderson's "Security Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text, but also a useful professional reference, and Stalling and Brown might wish to examine the practical issues dealt with in that work. A range of editions of the "Information Security Management Handbook" (cf. BKINSCMH.RVW) would have similar overview, and more detail, but hardly in a single volume. There is also the "Official (ISC)^2 Guide to the CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to the CISSP CBK," but Stalling and Brown's work, while less broad and detailed, is more academically rigorous. copyright Robert M. Slade, 2008 BKCMSCPP.RVW 20080204