|
This
book is about Computer security in Theory and Practice. The book is well organized into different
parts. I strongly recommend that you
read the roadmap that will guide you to the chapters of interest. Some of the chapters require basic
understanding of compilers, computer architecture, operating systems, some
comfort with modular arithmetic (on Cryptography) and couple of chapters
requires some considerable mathematical maturity. Each chapter will give you a nice summary, research issues and
further reading.
Part 1 of this book gives you a
nice and easy Introduction of computer security. It introduces you to the basic components like confidentiality,
integrity and availability.
You will learn about Threats
via actions called attacks, snooping, Modification or alteration,
masquerading or spoofing, Repudiation of origin, Denial of receipt, Delay and
Denial of service. These are
fundamental to understanding the basic components of computer security. The author goes on to define security
policy and the security mechanism, which is a method, tool, or procedure, for
enforcing a security policy. Goals of
security like prevention, detection and recovery (includes retaliation) came
up next. Part 1 finishes off telling
us that security rests on assumptions and trust, Assurance requiring good
specification, design and implementation. Operational Issues explain the
cost-benefit analysis, risk analysis then laws and customs. Finally The Human Issues includes
organizational problems and people problems.
Good stuff.
Part 2 is all about
foundations. Starting with chapter 2, Access Control Matrix.
In here you will see some real
easy examples of an AC matrix Model and some Mathematical symbology of
protection state transitions and conditional commands. Finally all about rights like copying,
owning and the attenuation of privilege.
I find Chapter 2 to be very easy to understand but wait until you get to
chapter 3.
Chapter 3 is more difficult and
can be skipped if you like. How about
if I give you a taste of chapter 3 by asking one question. Under what conditions can a generic
algorithm determine whether a system is secure? or Does there exist an algorithm for determining whether a
given protection system with initial state S0 ('S' sub zero) is safe with
respect to a generic right r? Also
you will see some Theorems and Proofs and some Protection Models that you
need to spend lots of time to read and understand. The material in this chapter depends on chapter 2 but for the
most part not used elsewhere. Chapter
3 can be safely skipped if the interests of the reader lie elsewhere.
Part 3 is all about Policy.
You will learn about the types
of security policy, the Role of trust, types of access control, policy
languages (High-level, Low-level) and good examples followed.
Very easy read. The section digs deeper into
Confidentiality Policies and available Models. Again good examples followed.
You will learn about Tanquility (has nothing to do with the quality of
your tan) and some Controversy over some models. The component Integrity Policies was the subject of chapter 6
in part 3.
The author sets the Goals for
each policy component and then goes into the available Models of that
component to further depth of understanding.
Chapter 7 talked about Hybrid Policies. Few organizations limit their security objectives to
confidentiality or integrity only; most desire both, in some mixture. Chapter
7 presents such model. The Chinese
Wall model and the Clinical Information Systems security Model. And
other. I find this chapter to be very
easy to read and understand. The
author has done an excellent work here.
Part 3 finishes with chapter 8 about Noninterference and policy
composition. All in all the examples
were good and necessary to understand the subject matter.
Part 4: Implementation I: Cryptography
I was looking forward for this
part which talked about the basics of cryptography, Key management, Cipher
Techniques and Authentication.
I enjoyed reading this part and
I wished that the author was able to put few extra lines of information to
make it easier on me to understand the subject mater.
The examples were good but
required me to spend too much time to understand it.
What you will learn is what is
Cryptography, Classical Cryptosystems, Transposition Ciphers, Substitution
Ciphers, Vigenere Cipher and more.
Other Classical Ciphers came to
life due to the fact that 64-bit and 128-bit key proved as easy to break and
fell to differential cryptanalysis.
Here the author introduces us to Public Key Cryptography and RSA
(exponentiation cipher), Cryptographic Checksums and HMAC were well discussed
with examples.
Key Management is the subject
matter of chapter 10. You will learn
about Session and Interchange keys, Classical, Kerberos, Key Generation,
Infrastructures, Certificates, Protocols, Storing and Revoking keys, Key
Escrow and the Clipper Chip and Digital Signatures (RSA, El Gamal). Chapter
11 talks about Cipher Techniques, Chapter 12 is all about Authentication. Read about Biometrics, Fingerprints,
Voices, Eyes, Faces, Keystrokes, and Combinations. Fascinating stuff indeed.
Part 5: Implementation II: Systems
Consists of 5 Chapters (13-17)
starting with eight (8) design Principles of security mechanisms, Identity
representation which includes group and role representation of users and
their privileges, Access Control Mechanisms basics and organization,
Information Flow runtime or complier-based mechanisms for analyzing and
controlling the flow of information and Confinement Problem which is the
problem of containing data for the authorized only (sandboxes and covert
channels).
I find this to be a must read
part of the book. It is easy to read
and understand. Very well done.
Part 6: Assurance
The following chapters are easy
to read also. Software engineering
knowledge is very helpful.
Consists of 4 chapters ( 18-21
) provides fundamental definitions and presents an overview of current
assurance techniques, how to build a system addressing the life cycle issues
of assurance, Specifications, proof-based verification, model checking and
protocol verification and finally Evaluating Systems.
Part 7: Special Topics
Here in the next 4 chapters
where it will get interesting. I am
talking about Malicious Logic, Computer viruses, worms, and Trojan horses and
how to attack a computer system. Some
more details about Boot Sector Infectors, Executable Infectors, Multipartite
Viruses, TSR Viruses, Stealth Viruses, Encrypted Viruses, Polymorphic Viruses
and Macro Viruses. Computer Worms
come next then Rabbits and Bacteria and Logic Bombs. The authors go into the Theory of
Malicious Logic for all what he discussed before. Next comes the Defenses against Malicious Logic. Vulnerability Analysis and examples of
penetrating different systems.
Auditing is used for determining security violations. The Anatomy of an auditing System gives
you a good understanding what auditing consists off. Finally Intrusion Detection and all the
Models. Must read part of the
book. Did not see anything about
sleeper, incremental or gang viruses.
Part 8: Practicum
This is where most readers
should start if they are not interested in the Theorems, Models and
mathematics of computer security.
This part of the book consists
of 4 chapters that explore the application of the ideas and tools of the
previous parts of the book in four different setting.
Starting with chapter 26 to 29
Network Security, System Security, User Security, and Program Security
respectively. Again, these four
chapters are very easy to read and understand. I strongly recommend that you read this part fully. Since this part is self-contained you only
need chapter 1 for this part. If you
like more details then reading relevant material in other parts of the book
might be necessary.
Part 9: End Matter (The final)
Here is the summary for this
part: Lattices, The extended Euclidean algorithm, Entropy and Uncertainty,
Virtual Machines, Symbolic Logic, and Example Academic Security Policy. Very short Chapters, lots of mathematics,
algorithms, and good Example on Academic Security Policy.
Succinctly speaking, all in all
I have done another book on the shelf for future reference. I will have to read this book again for
further understanding of the subject matter.
I highly recommend this book for
a good understanding of computer security and delve into the world of its
theorems and mathematics. This book
is for everyone and don’t be intimidated by it. There is enough material in this book for everyone to
benefit. Best wishes and good luck.
|