Authors: Charles P. Pfleeger and Shari Lawrence Pfleeger
Publisher: Prentice Hall PTR
The review you’re about to read is about a classic guide to information security. The first edition of this book has been published in 1989 and since then it’s been updated with a ton of content. As you can see from the author biographies below, they are very skillful in what they do. Does that assure the high quality of this publication? Read on to find out.
About the authors
Charles P. Pfleeger is a Master Security Architect for Cable & Wireless, the world’s premier web hosting and Internet solutions provider. He regularly advises clients on secure design and implementation of network applications and architectures.
Shari Lawrence Pfleeger, senior researcher for RAND, is author of eight books on software engineering, measurement, and quality, including “Software Engineering: Theory and Practice, Second Edition”. She was named by The Journal of Systems and Software as one of the world’s top software engineering researchers.
Inside the book
The authors start by explaining what “secure” means and provide some characteristics of a computer intrusion. Also discussed here are attacks and the meaning of computer security. This introductory chapter will fix you up with an appropriate overview of the problems an organization faces on a daily basis and gives you some insight into the methods of defense that can be used. Underlined here is the importance of all the parts that make the entire security architecture – security is no stronger than it’s weakest point.
The following topic of discussion is elementary cryptography. This is where you learn about the concepts of encryption and cryptanalysis. But that’s certainly not all, there’s also information on symmetric and asymmetric encryption as well as the DES, AES and RSA algorithms. The authors supply various examples and diagrams to help you understand the material. A a final thing, the authors introduce several very used applications of cryptography: key exchange, protocols, hash functions, digital signatures and certificates. If you want more information, you will be pointed in the right direction as there are several books listed as additional reading material.
Next you learn why security is needed at the program level and how it can be achieved. First, the authors write about programming errors (buffer overflows and incomplete access control) and then move on to give you information on viruses, worms and Trojan horses. Naturally, none of these would be useful without some software engineering principles and practices – program development controls against vulnerabilities and malicious code – that are also included. When it comes to virus signatures, you see the signature of the popular Code Red worm. Addressed here are also some truths and misconceptions about viruses.
Moving on, the authors illustrate the contributions that operating systems have made to user security. Here you find a bit of history of protection in operating systems and afterwards an overview of protection features provided by general-purpose operating systems: the protection of memory, files and the executing environment. There are numerous figures in this chapter and they complement the text quite nicely. To close the chapter the authors give you information on the control of access to general objects, file protection mechanisms and user authentication. The part dedicated to passwords is particularly well written and covers the topic in great depth.
Chapter five brings you closer to the world of operating systems and their design. Here you get an understanding about what a trusted system is, as well as a whole lot on security policies. The authors illustrate military and commercial security policies before moving on to the topic of security models. Here you learn that it’s good to study security models since they are important in determining the policies a secure system should enforce. Also, the study of abstract models can help you understand the properties of protection systems. The design of trusted operating systems is covered in pretty well and shows you why security should be implemented.
Since many people rely on a database management system it makes sense to have a chapter that deals with database security. The authors describe what a database is and they define the terminology related to its use. When it comes to the security requirements of a database system, the following are described: physical and logical database integrity, element integrity, auditability, access control, user authentication and availability. As regards multilevel secure databases the authors discuss: partitioned, cryptographically sealed and filtered.
And now we reach the seventh chapter, the largest chapter in the book. It’s large as the topic it covers – security in networks. In order to enable you to study network threats and control efficiently, the authors first review some of the relevant networking terms and concepts. Here you learn about protocols, topologies and distributed systems. As regards the threats, you see what makes a network vulnerable and the various attacks that can be launched against a network. Also presented are the many excellent defenses available as well as important controls such as firewalls, intrusion detection systems and encrypted e-mail.
Security is not achieved only through technology. This is the message behind chapter eight that shows you the administrative and physical aspects of security. The areas that the authors cover here are: planning, risk analysis, organizational security policies and physical control. A solid amount of information has been devoted to the discussion of physical security, a topic often neglected or marginalized in other computer security books. The authors note that many to security involve human or natural disasters, events that should be addressed in the security plan.
The authors also provide a study of the human controls applicable to computer security – the legal system and ethics. Discussed here are patents, copyrights, trademarks, privacy, codes of professional ethics, etc. The last chapter of the book entitled “Cryptography Explained” explains in detail the mathematics that are the foundation of different encryption schemes.
My 2 cents
This senior/graduate level textbook will give you a good foundation in computer security. The targeted audiences of this book are computer scientists, college students, software engineers and managers that want to broader their knowledge. At the end of every chapter you find numerous exercises that can help you verify your knowledge. The book is very well written, packed with a ton of information and clear to understand.