Principles of Computer Security by Wm. Arthhur Conklin, Gregory B. White, Chuck Cothren, Dwayne Williams and Roger L. Davis (McGraw-Hill, 2004), 665 pages, $129.95 CDN, ISBN 0-07-225509-9.
Computer security has grown from a small field 20 years ago that was about passwords and what now seems ridiculously low level, small-key encryption, into a field that embraces cutting edge number theory in mathematics (for encryption), quantum physics (to ensure that the act of interception of a message will destroy it), experimental genetics (coding access by DNA unique to the user), and ophthalmology (retina scanners).
In Computer Security, five authors, all with either a connection to Texas or the U.S. Air Force, review the state of computer security. Their book is a text on the state of the art more than the latest advances in the tendrils of exotic fields that extend into security issues.
Textbooks are dull reading, but this one is so good, so balanced, and so reflective of what is happening today rather than what should happen in future that it is worth having just as a reference.
Historically, the authors trace security problems back to 1988 when the innocuous Morris worm, created at Cornell University by a grad student, became the model for mayhem that followed. The authors discuss Kevin Mitnick's capers the late 1980s and his arrest in 1995. Mr. Mitnick was less a techie than an impersonator. Regarded as national security threat in the U.S., he was jailed for five years. However, he really does not belong in the same company as Russian crooks who attack banking systems.
The review of mayhem includes more malware: the Melissa virus of 1999, the Love Letter Worm in May, 2000, the Code Red worm in 2001, and the slammer worm in 2003.
What the authors infer but do not really say is that the propagation of much of this nastiness is due to digital monoculture. Specifically, the dominance of Microsoft Corp. e-mail programs like Outlook Systems running on Linux, mid-range servers with non- MS operating systems, and Apple operating systems are only rarely the intended victims of malware. Accordingly, to protect against viruses, one can cobble together a funky system of servers that run non-MS OS and non-mainstream apps. This is no way to build efficiency, but it is a good way to thwart geeks in Moldova from raping a company.
The authors, who are good organization guys, don't support the funky software theory of security. Instead, they go by the numbers, discussing security as a corporate and social issue, conventional cryptography from the ground-floor DES solutions through asymmetric algorithms, public key-private key solutions, key escrow, and so on. There are explanations of infrastructure security, and remote access problems of letting authorized users in and keeping the bad guys out. Then come discussions of denial of service attacks - particular goal of worm designers who want to overload networks or servers, e-mail security, web security and a short treatment of computer forensics.
Unlike many books in the computer security field, this one does not ignore Canada. The authors discuss Canadian innovations in the use of digital signatures and then expand their examination of laws relevant to computer security to the European Union. The EU, they observe, is the leader in data privacy innovations.
A few criticisms do not diminish the value of Principles of Computer Security. The book constitutes an introduction to the field as it existed at about the third quarter of 2003. That's about as good as it gets for a compendium of the almost-present state of the art.