Mini Review No. 2 of Computer Security books
Includes Operating System, Network and Internet Security books, and related books.
Introduction:
A number of useful books on computer security and encryption have come to my attention over the last few months. As usual the US Government has been engaged in its petty minded campaign to prevent the export of decent encryption technology outside of the US. In Europe and Australia this is not as bad as it seems because comparable, and in some cases probably better, encryption technology is available from local sources. In response the US government is trying to force all of its allies and client states to push through legislation forcing all applications using decent encryption technology to be deployed with key recovery mechanisms built in. The usual rogues gallery of drug smugglers , money launderers and pornographers is rolled out to justify these attempts to limit the right to privacy of ordinary individuals and organisations.
For all US books covering encryption technology you can (in general) find full (non US) source code (unfortunately not always well commented) for the various encryption algorithms discussed in these books. Warning: be very careful when downloading any binaries whose origins you are not certain of.
I am not sure as to what US law has to say about sending securely encrypted data into North America over transatlantic (and transpacific) communications links - no doubt some court cases will clarify the issue - if you can shed some light on this matter please email me. (No doubt there is some news group discussion that covers this topic - but I've missed it)
Sun is currently being given a hard time by the US government for doing a deal with a Russian company that has developed decent encryption software that Sun is making available for use on computers sold outside of North America. They (the US Government) seem to forget that some of the best mathematicians in the world are to be found in Russia and Eastern Europe and that there is no national or racial monopoly on mathematical talent. I wish to praise Sun on their commitment to providing decent encryption technology for non US customers, as the US attitude on export controls of decent encryption technology seems to me to be extremely arrogant.
Within Europe, France has distinguished itself by its very anti-liberal attitude towards the availability and use of encryption technology by its citizens, and indeed by anybody else on French soil. As in the US encryption technology is considered to be a "highly dangerous ????" munition that must be subject to all kinds of controls.
If you have information about the law as it applies to the use, export and posession of encryption technology in your country - especially where such laws might be considered a violation of human rights or civil liberties please send me details
In the meantime, I think that we should share our knowledge of security and encryption technology with our North American colleagues who believe in the right to privacy, even though they are prevented, by a narrow minded government, from (at least openly) returning the compliment.
List of Books included in this update:
Reviews:
Corporate Espionage - What it is, Why it's happening in your company, What you must do about it by Ira Winkler
I received an email from Ira, on the basis of the earlier mini review, in which I had mentioned a paper he'd written on the importance of people in the running of secure computer systems, telling me about his latest book. I found the book (this book) fascinating - even though I did detect a certain omission of US activity in this area - well, hardly surprising, as the book is written from the perspective of US organisations. However, now that I've pointed out the the US is no saint when it comes to government sponsored commercial espionage, I can go on to say that any manager or administrator or senior executive of any large corporation (in whatever country) concerned with the security of their company's confidential information should read this book. The message is clear and uncompromising - the industrial espionage business is alive and well ( and highly profitable ) and, where data security is concerned it is vital never to be complacent, and always to remember that security depends on people as well as on technology. Although commercial intelligence gathering is a subset of intelligence gathering some countries are particularly aggressive and systematic in their commercial intelligence gathering (the US should also be included in this list - but we'll pass over that point). From the US point of view the major perpetrators are France, Israel , Japan and Russia. All of the above countries go to great lengths to collect information about technology, competing bids on lucrative international contracts and industrial processes. There is an economic war being fought out there and its not being fought according to gentlemanly rules of conduct.
Ira's strength is that he is not (it seems from the way he writes - though one can never be to sure) a high powered technologist. He looks at the issue of security from the "human angle". In effect - he is a natural "Soft Systems Analyst" [ if you don't know about Soft Systems Methodologies - send me an email and I'll send you a list of books and references - very few people seem to know about these methodologies - which is a shame]. People problems are "soft" problems - they are difficult to regulate and to formalise but they are very relevant to the success or failure of many organisations. When it comes to security it is all too easy to be lulled into a false sense of security because all the best and latest technology has been installed. After this book has been read "for enjoyment" it should be re-read and the vulnerabilities in data and information security it exposes carefully analysed and evaluated. I would claim that any analysis would be much helped by an understanding of Soft Systems approaches.
Safeguarding Electronic Information , Ed. Jana Varlejs
This slim little paperback contains the Proceedings of the Thirty-second Annual Symposium of the Graduate Alumni and Faculty of the Rutgers School of Communication, Information and Library Studies, held in April 1995. The papers are serious and thought provoking and the references at the end of each paper threw up quite a few books, articles and papers and law reports I was not aware of. The titles of the papers are
Anyone seriously concerned with data and information security should read this book. For, in reality, security is about "having a security policy" and then enforcing it. A security policy that cannot be implemented is a dangerouse liability. In order to have a policy it has to be formulated, and when a security policy is formulated it needs to formulated in the context of a much wider perspective than the purely technological one. This little book has much to say that is relevant to formulating a data security policy - provided it is read intelligently.
[P.S. - if you are a librarian and would like to work part time adding mini reviews and building up a database summarising reviews of technical books in technical journals, as well as helping out with orders, answering customer queries etc. then I would love to here from you. - send an email to me (awe@itbs.co.uk).]
Internet Security - Risk Analysis, Strategies and Firewalls, by Othmar Kyas
I found this to be quite a readable book, full of useful tips and checklists without being too technical. It provides a good overview of the standard technologies and options at a level appropriate to technical managers and network designers / administrators. A good, conventional overview of the current state of affairs in this area.
Although the author works in Germany, he is employed by a US company. Maybe this explains why the book has so few pointers to European and Australian web sites where public domain copies of various encryption algorithms, security packages and tools are to be found.
For instance there is practically no mention of SESAME, Europe's equivalent (and many would say superior) to MIT's Kerberos 5, nor to some excellent research on applications of SESAME to Internet security being carried out both in Europe and in Australia.
Also, there is no good bibliography to commercially available European encryption engines, and there is no serious discussion of IDEA.
NOTE: The reference implementation of SESAME was going to include a full implementation of the encryption software but , SURPRISE, SURPRISE, I am told that the French Government pressed very hard for this part of the implementation not to be made publicly available.
Should anybody be interested in writing an in depth technical book describing SESAME, and complete with fully documented working source code (prefereably a version that will run under LINUX) please let me know. ITBS's sister company Etherpress would be very interested in publishing such a book.
Web Security & Commerce by Simson Garfinkel and Gene Spafford
As usual, O'Reilly have produced another fine book. There is much excellent information packed into this volume. If you are a technical manager or a system administrator and have read the lighter books on Internet and Network security such as those by Hughes, or Kyas or Sijan, and you still feel you need to know more - then this is a very good starting point. Much research has gone into the writing of this book and it is a very good starting point for further in depth study. The coverage of topics is almost encyclopaedic, including subjects such as
Java Security - Hostile Applets, Holes and Antidotes, by Gary McGraw and Edward W. Felten
Currently this is THE BOOK on Java Security. Edward Felten is a member of Princeton's Safe Internet Programming team ( http://www.cs.princeton.edu/sip ), and Gary McGraw is a researcher at Reliable Software Technologies Corporation. The authors describe the Java security model clearly, as well as the security problems associated with Java and are to be congratulated on a job well done. The contents of the book provide a good foundation that needs to be continually supplemented by visiting all the standard internet sites providing further information about more recently discovered security threats and loopholes
As with all rapidly evolving technologies many new developments in this area have occurred in the months since the book went to press - all this information is available via the web sites listed above, and no doubt much of it will be included in the second edition of this book.
Secure Computing - Threats and Safeguards , by Rita C. Summers
This is a truly formidable book. Mc Graw Hill is to be congratulated on persuading Rita Summers to impart her experience and wisdom to the network computing community. I have been asked to write a number of seminars on TCP/IP and Internet security this year and my own personal copy of this book is "well worn" - surely a tribute to the vast amount of knowledge compressed into this already huge (almost 700 pages) book. Not a "light reading" book, and somewhat academic and dry in style but nevertheless excellent. The book is worth having for the reference lists alone - it can save days of research time. I think it should be in the library of any computer profession concerned with security matters.
The sections I found particularly valuable were those on
Practical Cryptography for Data Internetworks , by William Stallings
This is really a collection of Journal Articles and Technical Reports together with introductory overviews and explanations.
There are three main parts
Having mastered all the material presented here, and studied some of the implementations of DES, RSA and IDEA in source code form the reader will be well placed to investigate some of the more recent papers - which can be found by doing a standard literature search through the journals represented here, as well as a literature search on the authors whose papers are collected in this volume.
Securing Client/Server Computer Networks, Ed. Peter T. Davis
As with all books made up of a collection of articles and papers collated by a technical editor the quality of the articles is somewhat variable. Also, because of the nature of the editorial process involved in putting together books of this sort the papers are not the most up to date.
Nevertheless the book is valuable for those working in distributed heterogenous environments containing mainframes, Vaxes, Unix Server, Windows NT server and a variety of workstations.
The chapter covering the DCE standard is a useful introduction to the subject, and the discussion of C2 and C2+ security on the network is as good a starting point to this subject area as any.
The papers on Securing Rapid and Object-Oriented Devlopment, Securing the Desktop and Securing the Front End I found relevant - as these are topics that are all too often overlooked in the haste to complete a project on time.
I found the paper on Securing DB2/2 a little short - maybe this is because I tend to be more of an Informix, Oracle and SQL Server person, and so am not that familiar with the small print technical aspects of DB2. The paper on securing Oracle was a bit too short for my taste - but then I am quite familiar with Oracle as a product and was hoping for something deeper. Maybe I was also expecting articles on Informix , Sybase and SQL Server security issues and (more hopefully) a comparative study of security and its performance implications for all of the database management systems mentioned.
Being familiar with TCP/IP I found the Securing Client/Server TCP/IP paper standard, and the papers covering Securing APPC/APPN, VTAM and NetView harder. I suspect that mainframe specialists would have told the converse story. Still, it's good to study operating systems and applications one is not familiar with, if only to check out the similarities and differnces in approach.
The chapters on securing various operating systems - UNIX, Open VMS, Microsoft Windows NT, OS/2 LAN Server and MVS were useful from a comparative study point of view. I would have been more impressed had their been a chapter on securing heterogenous systems e.g. MVS to UNIX interworking, and Open VMS to Windows NT interworking - but alas there were no articles of this nature to be found.
The paper on CICS and Transaction Process Monitoring was extermely short - it could have been considerably enhanced, as was the paper on Securing Lotus Notes.
In summary - a good reference book to have in the corporate or project team library but not the sort of book to buy for personal use.
Network Security - Private Communication in a PUBLIC World, by Charlie Kaufman, Radia Perlman, Mike Speciner
I have a lot of respect for Radia Perlman. Her book "Interconnections" on Bridges and Routers is still one I refer to often. This book is up to her usual high standards, and she and her co-authors are to be congratulated on doing a difficult job really well.
The explanations and discussions are clear and well illustrated with examples. The style of authoring is very geared towards stimulating the reader to think for him/herself - when it comes to security you can trust no one. If you are serious about security, and, anyone who cares passionately about privacy and civil liberties and freedom of speech and thought should be, then it is important to understand the technology. (Otherwise those who think they know best will make the technology ensuring the right to private communications over public networks unavailable).
This is not an easy book, and it is a serious book, but you do not have to be a mathematical genius to understand it, and the authors present the subject in such a way that it is difficult not the be fascinated and intrigued by the various problems that have had to be solved to develop secure communications systems. I would urge as many people as possible to study this book carefully. My hope is that once you have been "bitten by the bug to know more" you will be tempted to start programming and studying the necessary algorithms and sharing them with other like minded individuals.
For technical project managers, designers of secure systems and network administrators this is a "must have" book.
If you asked me which aremy favourite / most useful books in this area are I would have to say
as well as the O'Reilly books on computer and network security.
Email , comments, inquiries orders to