Security is a hot, yet tough, topic these days. Computer security, in a broad sense, spans several interdisciplinary areas. It is sometimes difficult to identify good literature, both to grasp the essential ideas and to be able to teach them. This excellent book covers several useful and very practical topics in computer security, from cryptographic protocols to software vulnerabilities and malware. It is full of very thoughtful examples, lots of handy illustrations, and even small exercises for teaching purposes.
The preface explains how the book is organized, provides some suggestions on how to proceed in your reading, and discusses the teaching purpose of the book.
In chapter 1, the author gifts the reader with a detailed description of today’s security goals, including the typical topics of confidentiality, integrity, and availability, but also privacy, anonymity, and accountability. An interesting point in this introduction is the inclusion of adversary model concepts, or what we assume an intruder can actually do; risk analysis, that is, what are the relevant assets to be protected; and security policies, that is, guidelines to be followed in order to ensure some level of security. I personally like the 20 design principles and the 20 aspects summarizing this introduction, which nicely capture the essence and problematic nature of computer security.
Computer security heavily relies on some scaffolding blocks. Chapter 2 explains the following in detail: encryption, which forbids an intruder from accessing the payload message; signatures, which forbid an intruder from faking the origin of a payload message; and hashing, which forbids an intruder from inconspicuously altering parts of a message.
Chapter 3 moves away from background knowledge and tackles the problem of user authentication in computer systems, in light of its threats and defenses. Several basic notions are included, such as brute force or dictionary-based password guessing, as well as policies and common guidelines for password selection. Modern approaches such as one-time passwords and multi-factor using different channels are also discussed. An important part of this chapter is its discussions of biometric authentication, which is becoming more and more important to the latest cellphones, and graphical-based passwords such as CAPTCHAs.
Chapter 4 introduces readers to key establishment protocols, which are the cornerstone of many computer systems. Several key notions are discussed, for example, the use of nonces and timestamps. The chapter focuses on the Diffie-Hellman type of protocols, which relies on numerical properties of exponents and shows multiple attacks based on different numerical or algebraic properties exploited by an intruder.
Chapter 5 explains security information in operating systems, which are the basis of any computer system. The author focuses mainly on well-established access control policies, including access matrices, access control lists, and identity-based mechanisms. The chapter provides an overview of access control in storage systems, including system files in common operating systems such as UNIX-based systems.
Chapter 6 focuses on software security. It enumerates the different flaws in programming languages that are commonly used by attackers, such as integer overflow, dangling pointers, and stack and heap buffer overflows. Many well-explained examples demonstrate the basic vulnerabilities exploited by attackers and discussed later in the book.
Chapter 7 explains how attackers exploit flaws in software security. It covers viruses, malware, worms, and ransomware, as well as backdoors, keyloggers, and rootkits, including their consequences to computer systems.
Chapter 8 discusses key management systems, which are complementary to any of the other chapters. It clarifies the terminology associated with certificates, certification authorities, and validity and revocation. Different models of key infrastructure are explained, as well as two main applications to the transport layer security (TLS) used in web browsers and signed emails.
Chapter 9 discusses web browsers. Basic knowledge of uniform resource locators (URLs), protocols, and web pages is provided. The chapter focuses on security issues raised by cookies and SQL injection (which are usually performed via web browsers).
Chapter 10 discusses defenses related to virtual communication. The chapter focuses on how firewalls work as a primary defense mechanism in computer systems by analyzing and rejecting undesirable traffic. The chapter also discusses the main technology for passive defense: secure channels.
Chapter 11 discusses defenses related to intruder detection. Nowadays, it is mostly assumed that new software vulnerabilities are continuously discovered, and many efforts have been diverted to intruder detection. This chapter explains the main concepts of traffic sniffers, port or vulnerability scanners, and penetration testing. Modern attacks based on denial of service (DoS) and name resolution are presented.
The references to further reading in each chapter are extremely useful. The double-dagger symbol and the reading sequences are extremely beneficial for readers who want to focus on a specific topic. My only complaint is that some chapters leave you hungry for more; however, it would have been impossible to cover all these topics in greater detail without risking tediousness.
I think the book is a good compromise between understanding the essentials of computer security and giving concise yet useful examples and explanations. I really enjoyed reading it.