BKCMPSEC.RVW 930505 O'Reilly and Associates, Inc. 103 Morris St., Suite A Sebastopol, CA 95472-9902 800-338-6887 fax: 707-829-0104 info@ora.com Computer Security Basics, Deborah Russell and G. T. Gangemi Sr., 1991, 0- 937175-71-4 "Computer Security Basics" is a pretty accurate name. The book is an overview of many aspects that go into the security of computers and data systems. While not exhaustive, it at least provides a starting point from which to pursue specific topics which require more detailed study. A thorough reading of the book will ensure that those charged with security will not miss certain aspects of the field in a single minded pursuit of one particular threat. Having said that, it is difficult to recommend the book as a "sole source" for information. While it contains a great deal of useful, helpful and informative material, the quality and accuracy is inconsistent. One would do well to check items with other sources. The book starts with an introduction of what security is, and how to evaluate potential loopholes. The definition points out the useful difference between the problems of confidentiality and availability. (Also defined is the difference between a "hacker" and a "cracker".) The distinction between threats, vulnerabilities and countermeasures is helpful, but may fail to resolve certain issues. (For example, the discussion does not finally aid in determining whether a manager, too "lazy" to provide good security practices, is just a vulnerability or an actual threat.) Chapter two gives some historical background to the development of modern data security. Chapter three looks at access control, four at viral programs and other "malware", five at systems and planning, and six at the "Orange Book". Chapters seven and eight cover communication, first with encryption and then more generally. Chapter nine deals with physical and site security, as well as biometrics (for access control), while ten deals with the specific physical security of TEMPEST. The book takes itself very seriously, sometimes even pompously. There does not appear to be any room for frivolity. Therefore, it is difficult to know whether the comment on page 92 that a novel in process may fall into the category of "important to you, but ... of little interest to anyone else" is unintentionally funny, or just insulting. There are "Hints" pages scattered throughout the book, which are generally very useful and practical. Not universally: page 87 suggests that you "vaccinate" programs before running them, seemingly a reference to functions such as, among others, SCAN's "add verification" which have led to problems in the past. Page 97 stresses the importance of never eating or drinking near the terminal: I, in common with most "habitual" users, *contstantly* have food or drink near the terminal. In the past fifteen years only once has soda made it into my keyboard, and someone else did that. I have two reasons for dealing with chapter four, "Viruses and Other Wildlife", in detail. Firstly, this review was originally intended as part of a series of reviews of books related to the computer virus situation. Secondly, the problems of this chapter serve as an illustration of other parts of the book that deal with specialty areas. The problems actually start on page seven, where an item entitled "Virus Flambe" repeats the popular, but wholly unfounded, myth that some viral programs can cause physical damage. This report again repeats the "flaming monitor" urban legend. (The Jerusalem description, just prior, is not notable for its accuracy either.) Once into chapter four, we are told that the difference between a worm and a virus is that a worm is not destructive, whereas a virus always is. The book contradicts itself: we are told both that a worm hides in host programs and that it does not. I was intrigued to learn that Ken Thompson's demonstration of a compiler "trapdoor generator" is a virus, even though it does not "pass along" its ability to generate insecurities beyond the programs it compiles. A trojan is apparently a "mechanism for disguising a virus or worm", always performs the "advertised" function as opposed to something referred to as a "trojan mule" (anyone else ever heard this term before?). "Crabs" are not, as I had thought, prank programs seen on Mac and Atari computers, but a generic term for programs that "attack" the screen display. In the appendix on "Security User Groups", teh Computer Virus Industry Association (CVIA) is mentioned, while the Computer Antivirus Research Organization (CARO) and EICAR are not. The International Computer Security Association is not mentioned with the groups, but makes the book list. ("Electronic Groups" mentions Usenet, and a rather aging list of newsgroups, but doesn't mention the Internet or any of the "listservs".) Other aspects of the book are excellent. The coverage of DES, for example, does not shy away from dealing with the controversy surrounding the standard, and is very careful in reporting the research that has been done. The chapter on TEMPEST is interesting. It becomes intriguing when TEMPEST is used as a springboard to discuss the hypothesized health risks of VDTs and states that TEMPEST may be used to sheild the user (even though it goes on to say that TEMPEST sometimes involves false "emitters" within the system). In sum, the book may be a good starting point for beginners who have to start to deal with computer security at a basic level. While there are shortcomings in the material within the book itself, there are also sufficient resources listed in the appendices to provide a guide for further study by the user. copyright Robert M. Slade, 1993 BKCMPSEC.RVW 930505 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag