REVIEW: "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKSCNCMP.RVW   20030209

"Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger,
2003, 0-13-035548-8, U$79.00/C$122.99
%A   Charles P. Pfleeger
%A   Shari Lawrence Pfleeger s.pfleeger () ieee org
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-035548-8
%I   Prentice Hall
%O   U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0130355488/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20
%P   746 p.
%T   "Security in Computing"

This work is still obviously a textbook.  The attempts to target it at
a "professional" audience are possibly more convincing than in the
first edition, but it still reads like a text, and includes material
that is addressed at a scholastic, rather than experienced, audience. 
Even as a textbook it difficult to say that it succeeds.  It addresses
a broad range of computer security related topics, although there is a
notable shortage of material dealing with formal security models,
access concepts, operational procedures, physical security, and
business continuity.  The level of detail in the different areas
varies greatly, but the shortcomings of the book could be addressed in
the hands of a competent teacher.

The ten chapters in the book are not divided into parts, but seem, in
some cases, to come in chunks.  The introductory chapter is an
overview of basic concepts involved with system security. 
Unfortunately, not all of them are explained fully.  The idea of
controls, for example, is a vital one, but the full ranges and types
of controls are not outlined.  There are also some not-quite-standard
additions to the lexicon, such as an attempt to divide threats into
four classes: interception, interruption, modification, and
fabrication.  It is difficult to see why fabrication is added to the
list, or why this provides a clearer view of threats than simply
looking to the opposites of confidentiality, integrity, and
availability.  Cryptography starts in chapter two (and, oddly, ends in
chapter ten).  The early coverage steps through different types of
simple encryption algorithms, followed up by cryptanalysis of the
same.  It strenuously avoids using any arithmetic, which makes
discussions of key sizes and strengths a bit difficult, but throws in
lots of symbolic logic, which seems to serve only to cloud the issue.

Chapter three starts what might be seen as a section on secure systems
development.  This is an important, and often neglected, topic, and is
generally covered reasonably well.  However, the material is not
always completely clear and rigorous.  For example, it is implied that
Thompson, rather than Cohen, was the first to investigate viruses. 
Leaving aside the fact that Cohen's work started a year before
Thompson's lecture (only the date of Cohen's graduation is given),
Thompson's thought experiment proposed only an extremely limited form
of reproduction.  Again, when discussing covert channels, both the
terms "timing channel" and "storage channel" are used, but all the
examples given relate only to timing channels.  Operating system
protections are supposed to be covered in chapter four, but the
content is an odd amalgam of computer architecture and high level
access control.  In regard to designing trusted operating systems,
chapter five starts with a very poor outline of formal models (the
test is not clear, and, again, the addition of symbolic logic fails to
assist in the tutorial), presents a fair review of operating system
requirements, and then spends a lot of time going over various
evaluation criteria, without presenting much content of any use.  The
outline of database security is disappointing: chapter six spends too
much time on specific details, while almost ignoring major concepts
such as aggregation.

Chapter seven, the longest in the book, devotes excessive space to
basic communications technologies, including two copies of the section
on transmission methods.  Administration, in chapter eight, provides
the usual generic advice on planning, risk, and policies. 
Intellectual property, computer crime, and ethics are presented as
problems with no solutions, in chapter nine.  The closing chapter
provides a whirlwind of the mathematics related to cryptography in an
impressive, disorganized, and basically pointless display.

This book could definitely use a wholesale reorganization and cleanup. 
The level and tone of the content varies tremendously from section to
section, even within given chapters.  While most computer security
topics appear somewhere within the work, there is very little in the
way of logical flow or links between subjects.  Major areas seem to be
thrown in with minor sections simply because they had to be put
somewhere.  In terms of textbooks, I do not know that there is much to
choose between this volume and Bishop's "Computer Security: Art and
Science" (cf. BKCMSCAS.RVW), although Pfleeger and Pfleeger might have
a slight edge.  Certainly Gollman's "Computer Security" (cf.
BKCOMPSC.RVW) is superior to both.  And, depending upon the course,
Anderson's "Security Engineering" (cf. BKSECENG.RVW) probably outranks
them all.

copyright Robert M. Slade, 1993, 2003   BKSCNCMP.RVW   20030209

-- 
======================
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
          March 31, 2003           Indianapolis, IN



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.