Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Computer Security: Principles and Practice", William

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Computer Security: Principles and Practice", William Stallings/Lawrie Brown
Date: Mon, 14 Apr 2008 12:34:38 -0800 
BKCMSCPP.RVW   20080204

"Computer Security: Principles and Practice", William Stallings/Lawrie
Brown, 2008, 978-0-13-600424-0
%A   William Stallings williamstallings.com/CompSec/CompSec1e.html
%A   Lawrie Brown
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2008
%G   0-13-600424-5 978-0-13-600424-0
%I   Prentice Hall
%O   800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   798 p.
%T   "Computer Security: Principles and Practice"

I am woefully laggard in getting this review out, particularly since I
reviewed the text in process, last fall, and therefore have to declare
a possibility of bias.

The preface states that the book is intended as the text for a one- or
two-semester course in computer security.  The work is also addressed
to professionals as a basic reference.  In that latter regard it may
come up short, missing elements of infrastructure, fire protection,
investigation, forensics, and being rather weak in terms of
architecture and business continuity planning.

There is a rather interesting chapter zero in the volume (it and
chapter one are presumably "part zero," which is sound computing
theory, but somewhat bemusing in a book) laying out the structure of
the text, as well as pointing to the technical resource and course
Website, noted above.  Chapter one defines fundamental security terms
and concepts from various sources.  The list is comprehensive, but,
given sometimes conflicting positions, little attempt is made to
analyze, integrate, or unify the material.  There is an excellent set
of references and a solid set of questions and problems, as well as a
brief appendix addressing security standards and documents.

Part one involves computer security technology and principles. 
Chapter two introduces cryptographic tools.  The basic ideas of
cryptography are presented, but one must go to other chapters and
appendices for details and usage of the technology.  This structure is
unusual in cryptographic literature, but the new perspective may
demonstrate somewhat stale abstractions in a fresh way.  It is rather
odd that the coverage of authentication, in chapter three, does not
note the IAAA model of Identification, Authentication, Authorization,
and Accountability.  Access control, in chapter four, is limited to
data access.  ( The authors also follow the original paper describing
Role-Based Access Control as a form of mandatory access control, even
though RBAC is now frequently used in discretionary access control
environments.)  Chapter five's discussion of database security
emphasizes the theoretical aspects of that specialty.  Intrusion
detection is introduced in chapter six.  Malicious software is given a
scholarly, rather than practical, treatment in chapter seven, but the
content is more accurate than is usual even in the security
literature.  Denial of service attacks are addressed in chapter eight. 
Chapter nine's review of firewalls concentrates, almost exclusively,
on stateful inspection, and the material on intrusion prevention
systems repeats, to a large extent, chapter six.  Trusted computing
and multilevel security, in chapter ten, are discussed in terms of
formal security models and security architecture.

Part two deals with software security, with chapter eleven being
devoted to the topic of buffer overflows, and the other software
subjects covered comprising chapter twelve.

Part three contains topics the authors consider to be management
issues.  These are (in order through chapters thirteen to eighteen),
physical and infrastructure security, human factors (primarily policy
and awareness concerns), auditing security management and risk
assessment, security controls (plans and procedures), and legal and
ethical aspects.

Part four details cryptographic algorithms, and the material is as
good as one might expect from the author of "Cryptography and Network
Security" (cf. BKCRNTSC.RVW).  Symmetric encryption and message
confidentiality, illustrated by the Data Encryption Standard and the
advanced Encryption Standard, is the topic of chapter nineteen. 
Asymmetric cryptography and hashes are in twenty.

Part five turns to Internet security.  Some Internet security
protocols and standards are listed in chapter twenty-one.  A detailed
look at Kerberos leads off chapter twenty-two's examination of
authentication applications.

Operating systems security is the subject of part six, with a look at
the Linux model in chapter twenty-three, and Windows in twenty-four.

Appendices at the end of the book provide information on number
theory, pseudorandom number generation, projects for teaching
security, standards and standards organizations, and the TCP/IP
protocol suite.

Of the various domains of information systems security, there is
limited material in regard to the security implications of various
aspects of computer hardware and architecture, the formation of an
architectural model for security design, and business continuity
planning.  Otherwise, however, the coverage is quite comprehensive,
much more so than in other course texts such as Gollman's excellent
but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather
abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and
Stamp's interesting, but sometimes spotty, "Information Security:
Principles and Practice" (cf. BKINSCPP.RVW).  Anderson's "Security
Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text,
but also a useful professional reference, and Stalling and Brown might
wish to examine the practical issues dealt with in that work.  A range
of editions of the "Information Security Management Handbook" (cf.
BKINSCMH.RVW) would have similar overview, and more detail, but hardly
in a single volume.  There is also the "Official (ISC)^2 Guide to the
CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to
the CISSP CBK," but Stalling and Brown's work, while less broad and
detailed, is more academically rigorous.

copyright Robert M. Slade, 2008   BKCMSCPP.RVW   20080204


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
I'm all in favor of keeping dangerous weapons out of the hands of
fools.  Let's start with typewriters.           - Frank Lloyd Wright
http://victoria.tc.ca/techrev/rms.htm

------------------------------------

Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Computer Security: Principles and Practice", William Stallings/Lawrie Brown, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] REVIEW: "Security Data Visualization", Greg Conti, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] REVIEW: "Security Data Visualization", Greg Conti, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]