| | |  | Certification Central | Home » » Introduction to Computer Security | | | | | | | Description: | | In this authoritative book, widely respected practitioner and teacher Matt Bishop presents a clear and useful introduction to the art and science of information security. Bishop's insights and realistic examples will help any practitioner or student understand the crucial links between security theory and the day-to-day security challenges of IT environments. Bishop explains the fundamentals of security: the different types of widely used policies, the mechanisms that implement these policies, the principles underlying both policies and mechanisms, and how attackers can subvert these tools--as well as how to defend against attackers. A practicum demonstrates how to apply these ideas and mechanisms to a realistic company. Coverage includes - Confidentiality, integrity, and availability
- Operational issues, cost-benefit and risk analyses, legal and human factors
- Planning and implementing effective access control
- Defining security, confidentiality, and integrity policies
- Using cryptography and public-key systems, and recognizing their limits
- Understanding and using authentication: from passwords to biometrics
- Security design principles: least-privilege, fail-safe defaults, open design, economy of mechanism, and more
- Controlling information flow through systems and networks
- Assuring security throughout the system lifecycle
- Malicious logic: Trojan horses, viruses, boot sector and executable infectors, rabbits, bacteria, logic bombs--and defenses against them
- Vulnerability analysis, penetration studies, auditing, and intrusion detection and prevention
- Applying security principles to networks, systems, users, and programs
Introduction to Computer Security is adapted from Bishop's comprehensive and widely praised book, Computer Security: Art and Science. This shorter version of the original work omits much mathematical formalism, making it more accessible for professionals and students who have a less formal mathematical background, or for readers with a more practical than theoretical interest.
| | | Product Details: | | | Author:
| Matt Bishop | | Hardcover:
| 784 pages | | Publisher:
| Addison-Wesley Professional | | Publication Date:
| November 05, 2004 | | Language:
| English | | ISBN:
| 0321247442 | | Product Length:
| 9.66 inches | | Product Width:
| 7.62 inches | | Product Height:
| 1.36 inches | | Product Weight:
| 3.0 pounds | | Package Length:
| 9.3 inches | | Package Width:
| 7.4 inches | | Package Height:
| 1.2 inches | | Package Weight:
| 2.95 pounds | | Average Customer Rating:
|  based on 15 reviews |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 15 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
32 of 40 found the following review helpful:
 No, this book is not for the practical administratorFeb 03, 2005
By John L. Berger
I hate to be the fly in the ointment of the other reviews. But as someone who is more concerned with protecting his networks than trying to figure out the math behind the security, I found this book's title and description on the back cover as well as in the preface to be *highly* misleading.
By reading the preface and the back of the book, you gain absolutely no indication that this book is mired in mathematical theory with very little practical application to the everyday, IT environment. The only possible audience for this book comprises computer science students and software engineers who are into encryption, cipher algorithms, and related theories. There is absolutely no indication of that until you actually start getting into the chapters.
That is not to belittle Mr. Bishop, what he knows, or what he does. I have no doubt that as a professor at the University of California at Davis he is well respected and very knowledgeable of his field. I'm equally sure that in a scientific, trivia challenge, his knowledge and experience would beat me into the ground until I was just a thin, red film. I'm only saying that this book is not one that I can recommend to anyone who is looking for practical, security solutions, contrary to what the title might infer. It is far too mathematical in nature and creates complexities to the theories of computer security that frankly do not apply to the day-to-day systems and network administrator.
In the real world practical, IT solutions include identifying how potential intruders might gain entry to the network. Practical solutions also include how to identify weaknesses in the existing network infrastructure as well as weaknesses in the existing authentication mechanism, among others. Once these weaknesses are identified, IT people need practical solutions to eliminate those weaknesses. Even if the potential solutions are not practical at the current time, identifying what can happen until such time must happen for in order to plan the next stage of securing the environment.
These matters are certainly discussed but not in ways that most IT professional would consider to be valuable. Discussions on the Chinese Wall Model, lattices, and the Extended Euclidean algorithm are not going to be of any practical use whatsoever when you are looking to select and implement an authentication mechanism for a heterogeneous enterprise, nor are they going to be of value when you're looking a Sarbanes-Oxley auditor in the eye and he asks "So, please explain your network security implementations and how you plan on securing your login procedures."
Unfortunately, even those topics that have no direct relation to mathematics, such as availability and the implementation of an auditing system, are described through mathematical formulae. To most IT personnel, auditing involves intruder detection, log scanning, network monitoring, SNMP traps, and of course reporting tools to determine when there is suspicious activity. If I went to my manager and said that we have to anticipate pending connections based on the formula a + b is greater than cb, he'd tell me to contact the confidential, Employee Help line. I can only imagine what he'd tell me if I said that we have to tune our incoming-packet, time-out value in the Solaris kernel to be based on the Linux implementation of the Berstein and Shenk formula of h(s1,sa,sp,da,dp,s1) + n + ((2^24)*t) + [h(s2, sa,sp,da,dp,s2) mod 2^24].
Now, in fairness my review might be rather harsh, but I think it's more the frustration that this book's description is not accurate to its contents and expectations that it puts on the potential reader. Perhaps it is accurate when it comes to the actual content as suggested by the other glowing reviews, but it most certainly is not when it comes to the expected audience or what their expectation might be. In this case I'm sure that this is the right book, but the way that the preface and and back cover are written clearly are not indicative of the intended audience.
Metaphorically speaking, I was expecting to find directions so that I could drive to the nearest grocery store. Instead, I ended up reading about the physics of depressing the accelerator pedal with just the right amount of pressure in combination with the thermodynamics of the detonation of a combustible, fuel substance with a mixture of oxygen and the appropriate temperature and aperture of the ignition mechanism to create the most efficient energy source within a controlled environment. Additionally, I received information about the methodologies of harnessing that thermodynamic energy and converting it through the appropriate gear and torque mechanisms to a forward thrust thus making it possible to move the vehicle in the direction intended while simultaneously balancing out the appropriate fluid injection and combustion level. Also taken into consideration was the manipulation of the speed impedance lever so as to reduce or cease in its entirety the inertial momentum, regardless of direction, of the vehicle when necessary. Let us not forget the guidance controlling mechanism thus altering the directional inertia of the vehicle so as to project it to the destination position to which I expect the vehicle to travel.
Even with all of that, I still don't know where the nearest grocery store is.
6 of 7 found the following review helpful:
 More rigour than most computer booksOct 20, 2004
By W Boudville
Most books on computer security describe and show how to use cryptography. But often due to lack of space and audience expertise, they often do not give any detailed theory of cryptosystems. There is relatively little maths in such books. In turn, cryptography books fall into roughly two piles. One is highly mathematical and abstract; deliberately independent of any operating system or implementation. The other uses those theorems from the previous type of book, and is more tied to some software package that implements them.
Bishop's book stands differently. The level of the maths and the notation and the rigour with which he describes the cryptosystems would not be out of place in an algorithms book. But it is not all maths. There are chapters on Identity and on Access Control Mechanisms that are traditional sysadmin-type discussions. Veterans of running DEC's VMS machines will see much familiar material. But these discussions are also characterised by a level of analysis uncommonly seen in most sysadmin books. Bishop tries to show how behind such things like Access Control Lists, there is a systematic logic. Other books that might be tied to a given operating system or package might bury you in details, and obscure a general model.
If you have wanted to dig deeper into the subject and have good background in discrete maths, Bishop is worth reading.
8 of 10 found the following review helpful:
 I personally think this misses the author's stated target...Feb 15, 2005
By Thomas Duff
"Duffbert"
I recently finished the book Introduction to Computer Security by Matt Bishop (Addison-Wesley). I hope to be fair on this review, but I'm probably going to be a little harsh...
Chapter list: Preface; An Overview of Computer Security; Access Control Matrix; Foundational Results; Security Policies; Confidentiality Policies; Integrity Policies; Hybrid Policies; Basic Cryptography; Key Management; Cipher Techniques; Authentication; Design Principles; Representing Identity; Access Control Mechanisms; Information Flow; Confinement Problem; Introduction to Assurance; Evaluating Systems; Malicious Logic; Vulnerability Analysis; Auditing; Intrusion Detection; Network Security; System Security; User Security; Program Security; Lattices; The Extended Euclidean Algorithm; Virtual Machines; Bibliography; Index
OK, for the good stuff. This is probably one of the most complete academic treatments of computer security that I've ever seen. According to the preface, this is a "condensed" and updated version of the author's earlier work, Computer Security: Art and Science. His three goals, which are probably met, are to show the importance of theory to practice/practice to theory, to emphasize that computer security and cryptography are different, and to demonstrate that computer security is a science *and* an art. He also considers this book to omit much of the mathematical formalism. And that's where I start to have problems. In my opinion, he missed his target entirely.
Following the statement about omitting the mathematical formalism, we have this statement: "It is suited for computer security professionals, students, and prospective readers who have a less formal mathematical background, or who are not interested in the mathematical formalisms and would only be distracted by them, or for courses with a more practical than theoretical focus." Honestly, I don't know of many computer professionals holding down full-time jobs who would see this as a practical book. There is still a lot of mathematical "formalism" for a practical book, and I didn't finish reading this book thinking that there were a number of things I'll do different now in my job. If I were taking a college level course on computer security theory and structure, it'd probably work. But to give this to your coworker who is studying for a security certification as well as monitoring logs on a system would make him wonder if he did something to offend him...
If you need theory and coursework-style material, this book will give it to you. If you're looking for something that deals with hands-on security stuff you can use in your job tomorrow, I really think you'll be disappointed.
3 of 3 found the following review helpful:
A College Level Texbook on Computer SecurityDec 31, 2005
By Reid Ferguson
This book is as its title implies, an introduction level text on computer security. Its style and occupation of the Author indicate that it is a college level textbook on the subject. As far as giving a foundation level grounding on the subject, it covers all the usual bases and as such is worth the read. It is not a practical guide however.
It covers all the normal subjects you would expect. in good detail and depth. A lot of the examples are about UNIX or Multics. Also it has a lot (and I mean a lot) of theory and its associated math. This does make for rather heavy reading. Some chapters such as Chapter 15, Information flow require more than a little prior knowledge of programming to fully understand.
Unfortunately, I acquired this book during my study for the CISSP Certification, and although many subjects are covered, there are many more books written for the CISSP exam that cover the requirements for the exam and are better suited for that task.
In short, it is a good textbook on Computer Security. Heavy on theory and math and with a lot of examples on UNIX and Multics systems. It is not a practical guide to securing your (mostly Microsoft) Network. For those looking to pass the CISSP exam there are better study guides out there to spend your time with.
Regards
Reid Ferguson
6 of 8 found the following review helpful:
Not bad, I guess.May 08, 2005
By Dr Anton Chuvakin
"Dr. Anton Chuvakin"
While I hail from academic background, this book was too much at times for me. The book does contain some fun and useful information on security theory, which is presented well (no mean feat!). The fans of Bell-LaPadula model and such things will find them in the book.
On the other hand, it is explicitly weak on the practical side. The book seeks to connect theory and practice, but it seems that it did not completely build the connection. Most of the practical things (such as intrusion detection, malware, etc) are much better covered elsewhere. I liked the auditing chapter, however. It does contain a harmonious mix of theory and practice, fused together. Intrusion detection chapter was weaker, and it only covered ancient IDS projects such as DIDS. If you like more formal presentation of it, get Becky Bace's book.
The author states that 'computer security is not just a science, but also an art' (preface). No kidding! It pains me to say so, but practical security nowadays seems much more like an art (and, some say, a 'black art':-)) rather than real science, like physics.
The book is most useful to students of computer security, as a textbook or supporting maters (it does have exercises in the end of each chapter). It might come handy for practitioners as well, if you are into that sort of thing :-)
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org
See all 15 customer reviews on Amazon.com
| | |
|
