Reviewer Name: Richard Weatherill Reviewer Qualifications: MBCS CITP CLAS ITPC A.Inst.ISP
Book Title: Information Security
Subtitle: Principles and Practice
Author(s): Mark Stamp
Date of Publishing: 2011 (Second Edition)
Price (UK&US price – full price, not discounted price): £73.50, $110.00
EBook Version: Kindle edition available £45.18
URL of Publisher Site: Wiley.com
URL of Amazon UK web page: Information Security: Principles and Practice
URL of Amazon US web page: Amazon.com
URL of author’s textbook site (including .ppt slides, lecture videos and errata): Author’s textbook site
The fact that this book includes no fewer than 500 ‘homework’ problems, a bibliography with over 300 entries, and an appendix that includes a section on ‘Math Essentials’ clearly indicates the nature of its intended readership. Mark Stamp is Professor of Computer Science at San José State University and this is unashamedly an academic textbook – though quite an approachable one. This is the second edition of a work that first hit the shelves in 2005 and the text is supported by a wealth of additional (free) material, downloadable from the author’s website.
Professor Stamp expresses the hope that his book will also be a useful resource for working IT professionals and this review is being written from that standpoint. Certainly, the Information Security Manager hoping for guidance on how to establish a robust ISMS (perhaps in order to gain ISO/IEC 27001 certification) will need to look elsewhere. Nevertheless, there is much of value in the book for the manager who wants to refresh his/her knowledge of the technical foundations of information security, or who simply needs to understand what these ‘techies’ are on about! (The section of the appendix on Network Security Basics might be particularly helpful here – although it is very basic.)
The book is divided into four main themes: Cryptography; Access Control; Protocols and Software. The section on Cryptography, which is by far the longest, covers the topic in a sensible order, moving from the basics through Symmetric Key crypto, to the development of Public Key techniques and advanced cryptanalysis. Professor Stamp does a good job of explaining the historical context of these developments – and the story is a very interesting one. The mathematical basis of the techniques described is also well covered, with helpful simplifications being clearly indicated. However, the approach is suitably rigorous where it needs to be, for example, when distinguishing cryptographic hash functions from looser uses of the term “hashing”. As far as specifics are concerned, the text includes a description of RC4, DES, Triple DES, RSA, AES, Diffie-Hellman (for key exchange) and the Elliptic Curve (ECC) domain.
The Access Control theme is divided, conventionally, into chapters on Authentication and Authorisation (the latter including sections on firewalls and IDS techniques). The initial focus is on passwords and, in particular, on some of the problems associated with relying on passwords alone as an authentication mechanism. Professor Stamp then considers the use of various biometrics, including fingerprints, hand geometry and iris scanning. The chapter concludes with a relatively brief discussion of the use of tokens, Two-Factor Authentication and the Holy Grail that is Single Sign-On.
The topic of Authorisation is introduced from a historical perspective, culminating in a rather downbeat assessment of Common Criteria certification and the EAL rating system. The subject matter properly covers Access Control Matrices/Lists, the main Multilevel Security Models, and specific topics including Compartmented Security and Covert Channels. Professor Stamp manages to treat all these subjects in a way that is concise without being superficial; the same is true of the discussion of firewalls and (both signature- and anomaly-based) IDS, which follows. That said, the experienced engineer, for whom firewall or IDS management is an all too familiar part of the daily routine, might not learn very much that’s new (apart, perhaps, from the theoretical underpinnings of anomaly-based IDS).
The Protocols theme follows on very naturally with a description of simple authentication protocols, including the use of symmetric and public keys, and an interesting discussion of the (mis)use of TCP for authentication. This largely theoretical treatment is followed up by an analysis of a range of real-world protocols, focusing on SSL, IPSec (specifically, the two IKE phases), Kerberos, WEP and GSM. The difference between IPSec transport and tunnel modes is particularly well explained.
The final main theme of the book is software. In the business world, the security threats arising from this source are often ‘treated’ by either blind faith in the use of COTS products, occasionally supported by a robust patching policy, or (in the case of bespoke software development) by placing the problem on the ‘too difficult’ pile. It is therefore helpful to have an explanation of the ways in which vulnerabilities can arise – either by accident or design. Professor Stamp introduces the topic with a discussion of common software flaws and several real-world examples of malware. Following this is a chapter covering software reverse engineering and the often opaque subject of Digital Rights Management, concluding with an interesting analysis of the security risks inherent in the software development process (including the relative merits of open and closed source software). The final chapter is devoted to the security functions of operating systems, with a look at Trusted Computing and the Next Generation Secure Computing Base (NGSCB).
If you are intent on reading this book from cover to cover then, at almost 600 pages, it might appear a bit daunting. However, taking into account the index, bibliography and sets of problems, the main content (including appendices) is a more manageable 400 pages or so. It is perhaps unfortunate that Professor Stamp chose to deal with cryptography first because this is by far the most technical part of the book, with mathematical functions liberally sprinkled throughout the more discursive material. The author has done his best to make the mathematics accessible to the non-specialist, but non-academic readers might still find it off-putting. Anyone who really needs a thorough understanding of this topic would certainly benefit from working through the material in some detail and, for further reinforcement, could also try their hand at some of the associated problems.
The good news is that each of the main themes covered by the book is more or less freestanding and this, coupled with the fact that the chapters are very well structured, means that it’s relatively easy to dip in and out in order to research a specific subject. The extensive bibliography provides plenty of pointers to more in-depth coverage of pretty well every topic.
Finally, be warned (unless you really believe the Internet was invented by Al Gore!) that the author includes frequent ‘humorous’ footnotes throughout the book.
This book covers four main themes: cryptography; access control; protocols and software: whilst primarily a university textbook, it contains much that is of value to the working IT professional. Current security issues in each area are well described, in an approachable style, although parts of the text do demand some mathematical skills.
Marks: 4 out of 5