- Author:
- Matt Bishop
In this authoritative book, widely respected practitioner and teacher Matt Bishop presents a clear and useful introduction to the art and science of information security. Bishop's insights and realistic examples will help any practitioner or student understand the crucial links between security theory and the day-to-day security challenges of IT environments.Bishop explains the fundamentals of security: the different types of widely used policies, the mechanisms that implement these policies, the principles underlying both policies and mechanisms, and how attackers can subvert these tools--as well as how to defend against attackers. A practicum demonstrates how to apply these ideas and mechanisms to a realistic company.Coverage includes Confidentiality, integrity, and availability Operational issues, cost-benefit and risk analyses, legal and human factors Planning and implementing effective access control Defining security, confidentiality, and integrity policies Using cryptography and public-key systems, and recognizing their limits Understanding and using authentication: from passwords to biometrics Security design principles: least-privilege, fail-safe defaults, open design, economy of mechanism, and more Controlling information flow through systems and networks Assuring security throughout the system lifecycle Malicious logic: Trojan horses, viruses, boot sector and executable infectors, rabbits, bacteria, logic bombs--and defenses against them Vulnerability analysis, penetration studies, auditing, and intrusion detection and prevention Applying security principles to networks, systems, users, and programsIntroduction to Computer Security is adapted from Bishop's comprehensive and widely praised book, Computer Security: Art and Science. This shorter version of the original work omits much mathematical formalism, making it more accessible for professionals and students who have a less formal mathematical background, or for readers with a more practical than theoretical interest.
Cited By
khobzaoui A, Benhamouda M and Fahsi M Data mining Contribution to Intrusion Detection Systems Improvement Proceedings of the 10th International Conference on Information Systems and Technologies, (1-8)- Weichbroth P, Łysik Ł and Li Q (2020). Mobile Security, Mobile Information Systems, 2020, Online publication date: 1-Jan-2020.
- Mamonov S and Benbunan-Fich R (2018). The impact of information security threat awareness on privacy-protective behaviors, Computers in Human Behavior, 83:C, (32-44), Online publication date: 1-Jun-2018.
- Albalawi T, Melton A and Rothstein M A New Approach to Data Dynamic Integrity Control Proceedings of the International Conference on Internet of things and Cloud Computing, (1-8)
- Taylor B and Kaza S (2016). Security Injections@Towson, ACM Transactions on Computing Education, 16:4, (1-20), Online publication date: 13-Oct-2016.
- Schmeelk S, Yang J and Aho A Android Malware Static Analysis Techniques Proceedings of the 10th Annual Cyber and Information Security Research Conference, (1-8)
- Jensen M Applying the protection goals for privacy engineering to mobile devices Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, (1-2)
- Simpson A, Martin A, Cremers C, Flechais I, Martinovic I and Rasmussen K Experiences in developing and delivering a programme of part-time education in software and systems security Proceedings of the 37th International Conference on Software Engineering - Volume 2, (435-444)
- Williams J (2015). Paula Rice: The C-Suite via the Rabbit Hole, IT Professional, 17:3, (70-72), Online publication date: 1-May-2015.
- Boyes H (2015). Security, Privacy, and the Built Environment, IT Professional, 17:3, (25-31), Online publication date: 1-May-2015.
- Rachapalli J, Khadilkar V, Kantarcioglu M and Thuraisingham B Towards fine grained RDF access control Proceedings of the 19th ACM symposium on Access control models and technologies, (165-176)
- Krishnan V, Tripunitara M, Chik K and Bergstrom T Relating declarative semantics and usability in access control Proceedings of the Eighth Symposium on Usable Privacy and Security, (1-13)
- Kiertscher T, Vielhauer C and Leich M Automated forensic fingerprint analysis Proceedings of the COST 2101 European conference on Biometrics and ID management, (262-273)
- Azadmanesh M and Sharifi M Towards a system-wide and transparent security mechanism using language-level information flow control Proceedings of the 3rd international conference on Security of information and networks, (19-26)
- Hoke C Internet voting Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies, (61-70)
- Steinbacher P, Fankhauser F, Schanes C and Grechenig T Black-box approach for testing quality of service in case of security incidents on the example of a SIP-based VoIP service Principles, Systems and Applications of IP Telecommunications, (101-110)
- Schleinzer B and Yoshioka N A security pattern for data integrity in P2P systems Proceedings of the 17th Conference on Pattern Languages of Programs, (1-5)
- Abawajy J Design and Delivery of Undergraduate IT Security Management Course Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance, (402-411)
- Marchand H, Dubreil J and Jéron T Automatic Testing of Access Control for Security Properties Proceedings of the 21st IFIP WG 6.1 International Conference on Testing of Software and Communication Systems and 9th International FATES Workshop, (113-128)
- Monteiro S and Erbacher R (2008). An authentication and validation mechanism for analyzing syslogs forensically, ACM SIGOPS Operating Systems Review, 42:3, (41-50), Online publication date: 1-Apr-2008.
- Myers J and Riela S (2008). Taming the diversity of information assurance & security, Journal of Computing Sciences in Colleges, 23:4, (173-179), Online publication date: 1-Apr-2008.
- de Oliveira A (2007). Rewriting-Based Access Control Policies, Electronic Notes in Theoretical Computer Science (ENTCS), 171:4, (59-72), Online publication date: 1-Jul-2007.
- Yu H, Liao W, Yuan X and Xu J Teaching a web security course to practice information assurance Proceedings of the 37th SIGCSE technical symposium on Computer science education, (12-16)
- Yu H, Liao W, Yuan X and Xu J (2006). Teaching a web security course to practice information assurance, ACM SIGCSE Bulletin, 38:1, (12-16), Online publication date: 31-Mar-2006.
- Aura T, Kuhn T and Roe M Scanning electronic documents for personally identifiable information Proceedings of the 5th ACM workshop on Privacy in electronic society, (41-50)
Index Terms
- Introduction to Computer Security
Recommendations
Reviews
Antoine Joux
Computer security is a growing concern in our information-based society. The goal of this book is to present the state of the art in this field to a general audience, including computer security professionals and students. The book's organization is very similar to that of another book by Bishop [1]. A large part of the text, and of the examples and the exercises, is also common. As is its predecessor, the book is divided into several parts and many chapters. For some reason, the parts are not made explicit in the book, or in the table of contents. According to the table of contents of Art and science [1], the parts are: "Introduction," "Foundations," "Policy," "Implementation: Cryptography," "Implementation: Systems," "Assurance," "Special Topics," and "Practicum." A few extra chapters, with some background information, have been added at the end. This very similarity is the weak point of the book. The structure of a largely mathematical textbook, such as Art and science [1], is not suited for a broad audience. Just to give an example, this book's intended readers are probably much more familiar with mass operating systems, such as Windows. Thus, the large amount of Unix-based examples and exercises is probably missing the point. Similarly, the programmer-oriented issues, which offer nice examples of good and bad programming practices, are too technical to be of general interest. The style of writing and the focus of the book vary greatly from one part to the next. Some parts are captivating, and others are very formal, even though the mathematics have been omitted. The most interesting part is the discussion of various threats and attacks, especially chapter 19, on malicious logic. There, the sections on Trojan horses and viruses could have been expanded, to cover more recent examples. In particular, several recent Trojan horses and viruses make use of the preview capabilities of some mail readers. Knowledge of these threats could be very useful to readers. The practicum part is also interesting, however, the chosen example is probably too complicated, and it would have been nice to see a simpler example, focusing on the security of home computers. On the other hand, the parts about policy and assurance are formal, and hard to read. Worst of all is the exposition of cryptography, which is at best outdated, and often misrepresents the current knowledge in this field. Classical cryptosystems are not used, and should not be used, in computer security, so why present them in such detail__?__ A cryptosystem is not only a tuple of sets and functions, it should also satisfy security properties, such as indistinguishability from an idealized primitive. These properties have been developed into a nice theory of concrete provable security by Bellare and others. Similarly, plain textbook RSA is known to be weak, due to a large variety of multiplicative attacks. It would be nice to present the correct usage of the primitive, which involves nice and provable padding techniques, such as Shoup's optimal asymmetric encryption padding (OAEP). Another drawback to the book is its absence of information about hardware security. Securing hardware implementations is a difficult task, which involves knowledge of various threats, such as compromising emanations, demonstrated by the program Tempest for Eliza, or several recent attacks on smartcards based on power analysis and fault attacks. Moreover, with the advent of wireless networks and the quickly developing usage of smartcards and radio frequency identification (RFID), these topics present a direct interest for most of us. In conclusion, I do not believe that this book reaches its goal of presenting a general introduction to computer security to a broad audience. Still, I would recommend it to students and researchers in cryptography who are seeking an overview of software security. However, this audience might as well read the author's other book [1]. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.