Even if the goal of computer security is easy to understand--to protect computer assets--the field itself is a complex topic including many concepts and techniques. The literature on computer security is very rich, but is generally specialized for specific systems, and is therefore dedicated to experts. This book is one of the most comprehensive books to introduce and detail security concepts.
Chapter 1 introduces the book by presenting the building blocks of computer security, namely confidentiality, integrity, and availability. These three security services counter threats to the security of the system. The main classes of these threats are then presented. In order to get around these threats, a set of security rules must be established. This is done in a security policy that describes constraints placed on entities and actions in a system. Chapters 2 and 3 address computer security, and rely on a set of foundations. The most important (and most intuitive) one is the access control matrix model. An access control matrix defines each subject’s rights on protected objects.
Chapters 4 through 8 deal with expressing security requirements, which is generally achieved through the specification of a security policy. Security policy specifications range from high-level overviews to mathematical formalisms. Additionally, policies differ in their types according to their use. For example, there are integrity policies, confidentiality policies, and hybrid policies. The author describes each type with great precision and examples.
Chapters 9 through 12 cover the intuitive aspect of data privacy, and suggest cryptography as a foundation of any security infrastructure. Chapter 9 is dedicated to implementation aspects of data encryption algorithms and standards. Chapters 10 and 11 detail the main techniques of key management and ciphers. These techniques are useful for the effective application of cryptography. Chapter 12 details the main authentication techniques, such as passwords, response challenges, and biometrics.
Chapters 13 through 17 explore the implementation aspects of sharing rights and information. These aspects include design principles of security mechanisms, how to represent group and role identities within a system, the basic access control mechanisms, information flow, and the confinement problem. The latter is not as well known as the other aspects, and is about containing data for authorized users only. This includes discussing sandboxes and covert channels. A covert channel is a communication channel that communicates in a writing-between-the-lines format. This technique allows a secret communication line to be established between the sender and the receiver in order to exchange information, which can only be understood by the intended receiver.
Chapters 18 through 21 discuss security assurance, which is defined as “the confidence that an entity meets its security requirements, based on specific evidence provided by the application of assurance techniques.” Applying assurance is expensive and time consuming, and its importance is generally not well understood. The most challenging research issue is investigating new approaches to assurance and selecting the best assurance technique for specific environments.
Chapters 22 through 25 deal with new security aspects in modern systems and networks that need to be explored, such as malicious logic, vulnerability analysis, auditing, and intrusion detection. These three topics are discussed, and definitions and examples are provided.
Chapters 26 through 29 involve a practicum of the principles discussed in the previous chapters. Each chapter explores the application of these principles in a particular setting: network security, system security, user security, and program security.
Chapters 30 through 35 discuss mathematical properties of lattices, extended Euclidean algorithms, entropy and uncertainty, virtual machines, and symbolic logic. The last chapter presents a real security policy example: the University of California’s email policy.
This book is dedicated to nonexperts. It is an appropriate guide for students who want to understand computer security foundations. Each topic is well detailed, and the examples that accompany the security topics are illustrative and well explained. In addition, each chapter ends with a set of research issues and references, in order to help more experienced readers delve into the details of each subject.
