BKSCNCMP.RVW 20030209 "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger, 2003, 0-13-035548-8, U$79.00/C$122.99 %A Charles P. Pfleeger %A Shari Lawrence Pfleeger s.pfleeger@ieee.org %C One Lake St., Upper Saddle River, NJ 07458 %D 2003 %G 0-13-035548-8 %I Prentice Hall %O U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130355488/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20 %P 746 p. %T "Security in Computing" This work is still obviously a textbook. The attempts to target it at a "professional" audience are possibly more convincing than in the first edition, but it still reads like a text, and includes material that is addressed at a scholastic, rather than experienced, audience. Even as a textbook it difficult to say that it succeeds. It addresses a broad range of computer security related topics, although there is a notable shortage of material dealing with formal security models, access concepts, operational procedures, physical security, and business continuity. The level of detail in the different areas varies greatly, but the shortcomings of the book could be addressed in the hands of a competent teacher. The ten chapters in the book are not divided into parts, but seem, in some cases, to come in chunks. The introductory chapter is an overview of basic concepts involved with system security. Unfortunately, not all of them are explained fully. The idea of controls, for example, is a vital one, but the full ranges and types of controls are not outlined. There are also some not-quite-standard additions to the lexicon, such as an attempt to divide threats into four classes: interception, interruption, modification, and fabrication. It is difficult to see why fabrication is added to the list, or why this provides a clearer view of threats than simply looking to the opposites of confidentiality, integrity, and availability. Cryptography starts in chapter two (and, oddly, ends in chapter ten). The early coverage steps through different types of simple encryption algorithms, followed up by cryptanalysis of the same. It strenuously avoids using any arithmetic, which makes discussions of key sizes and strengths a bit difficult, but throws in lots of symbolic logic, which seems to serve only to cloud the issue. Chapter three starts what might be seen as a section on secure systems development. This is an important, and often neglected, topic, and is generally covered reasonably well. However, the material is not always completely clear and rigorous. For example, it is implied that Thompson, rather than Cohen, was the first to investigate viruses. Leaving aside the fact that Cohen's work started a year before Thompson's lecture (only the date of Cohen's graduation is given), Thompson's thought experiment proposed only an extremely limited form of reproduction. Again, when discussing covert channels, both the terms "timing channel" and "storage channel" are used, but all the examples given relate only to timing channels. Operating system protections are supposed to be covered in chapter four, but the content is an odd amalgam of computer architecture and high level access control. In regard to designing trusted operating systems, chapter five starts with a very poor outline of formal models (the test is not clear, and, again, the addition of symbolic logic fails to assist in the tutorial), presents a fair review of operating system requirements, and then spends a lot of time going over various evaluation criteria, without presenting much content of any use. The outline of database security is disappointing: chapter six spends too much time on specific details, while almost ignoring major concepts such as aggregation. Chapter seven, the longest in the book, devotes excessive space to basic communications technologies, including two copies of the section on transmission methods. Administration, in chapter eight, provides the usual generic advice on planning, risk, and policies. Intellectual property, computer crime, and ethics are presented as problems with no solutions, in chapter nine. The closing chapter provides a whirlwind of the mathematics related to cryptography in an impressive, disorganized, and basically pointless display. This book could definitely use a wholesale reorganization and cleanup. The level and tone of the content varies tremendously from section to section, even within given chapters. While most computer security topics appear somewhere within the work, there is very little in the way of logical flow or links between subjects. Major areas seem to be thrown in with minor sections simply because they had to be put somewhere. In terms of textbooks, I do not know that there is much to choose between this volume and Bishop's "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), although Pfleeger and Pfleeger might have a slight edge. Certainly Gollman's "Computer Security" (cf. BKCOMPSC.RVW) is superior to both. And, depending upon the course, Anderson's "Security Engineering" (cf. BKSECENG.RVW) probably outranks them all. copyright Robert M. Slade, 1993, 2003 BKSCNCMP.RVW 20030209