BKSCINCS.RVW 20081123 "Securing Information and Communications Systems", Steven Furnell et al, 2008, 978-1-59693-228-9, U$109.00 %A Steven Furnell www.cisnr.org info@cisnr.org %A Sokratis Katsikas %A Javier Lopez %A Ahmed Patel %C 685 Canton St., Norwood, MA 02062 %D 2008 %G 978-1-59693-228-9 1-59693-228-7 %I Artech House/Horizon %O U$109.00 617-769-9750 fax: 617-769-6334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1596932287/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1596932287/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1596932287/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 362 p. %T "Securing Information and Communications Systems" The preface states that the book is based on an idea which arose from work directed towards a specific conference or course, but does not really specify what the idea, or the subject of the course, was. Chapter one, an introduction, notes the increasing importance of information security, and lists topics which seem to cover most of the field except for business continuity and physical security. Chapter two is a vague and disorganized overview of some generic concepts of security. Security management, in chapter three, is limited to an attempt to apply the PDCA (the Deming/Shewart Plan-Do- Check-Act) model to process management, but the illustration material is unclear. (There is also a brief mention of business continuity planning.) A list of the standard means of authentication is given in chapter four. Some of the usual models of access control are catalogued in chapter five. (Although "authorization" is specifically mentioned in the chapter title, the text does not really address the issue. The figures purporting to explain the Bell-LaPadula and Biba models are pretty much incomprehensible.) Some threats and tools related to database security are noted in chapter six. Chapter seven outlines some of the basic concepts of cryptography, but in a fairly abstract fashion. Most of the material on network security, in chapter eight, is a listing of tools. Some content is misleading: a list of VPN (Virtual Private Network) protocols fails to note that none of those included have any provisions for encryption or authentication. Chapter nine fills some of the gaps in seven, by raising some factors involved in a hierarchical model of PKI (Public Key Infrastructure). A few aspects of tokens and smart cards are discussed in chapter ten. Random thoughts on privacy and privacy supporting technologies are in eleven. Chapter twelve looks, somewhat disjointedly, at various types of Web filtering, but the promised legal issues aren't really covered. Some functions of an investigation into a computer incident are reviewed in chapter thirteen. Chapter fourteen purports to propose a holistic approach to IT and communications security, but instead is a series of abstract and epistemological musings with little practical use. The formal requirements for a voting system are noted in chapter fifteen, but there is no actual system or any analysis of such. Chapter sixteen is ostensibly a serverless, peer-to-peer wiki system, but at heart is actually just a normal authentication system such as Kerberos: the problems noted at the beginning of the article are simply moved one stage back. As a general introduction to or outline of security the work does not have the scope and detail of "Computer Security: Principles and Practice" by William Stallings and Lawrie Brown (cf. BKCMSCPP.RVW), or any of a number of other general works. In terms of specific, detailed, or recent research, the "Information Security Management Handbook" (cf. BKINSCMH.RVW) has much greater depth and range. copyright Robert M. Slade, 2008 BKSCINCS.RVW 20081123