Rita Summers. Secure Computing, Threats and Safeguards. McGraw-Hill 1997. $59.95 Acronym list and Index. Each chapter a has summary, bibliographic notes, exercises and references. 688 pages. ISBN 0-07-069419-2. LoC QA76.9.A25S85

Reviewed by Bob Bruen, Cipher Book Review Editor

Summers has divided the book into four parts: (1) Foundations, (2) Methods (3) Security in Computer Networks and (4) Management and Analysis. These parts provide the outline for a well organized presentation, balanced between technical topics such as cryptography and management topics such as policy. She has done an excellent job in both areas, not as common a feat as one would like. Her information theory and models based discussions of policy are clear and precise, as are the comprehensive descriptions of cryptographic methods (yes, she defines the terms cryptology and cryptanalysis as well).

The book works as a handbook for technology managers, as a textbook and as a good book to read about computer security. In spite of the comprehensive approach, there is generally enough detail in each subject to get a good grasp of each idea. She has summarize instead of glossed over ideas, making sure there are plenty of pointers if you want to expand your knowledge. The bibliographies and references are extensive, indicating the research done for the book. A security professional might like to see more detail in the individual sections, but there will not be any complaints about how thorough she has been.

Foundations includes a good introduction, a helpful chapter on the context in which we find computer security, a chapter on threats and the fourth chapter is about policies and models. For most computer managers, threats seen to come from everywhere, but Summers helps to narrow it down. The policy chapter is really a gem. She goes past the usual problem of trying to convince management to pay for it into the technical basis of integrity and several theoretical models.

Methods is almost half the book, covering cryptography, designing and building secure systems, protection mechanisms, operating systems security, and database security. The database chapter is up to date with a section on object oriented databases. The operating systems chapter covers principles about built in OS security, then looks at commercial operating systems, such Unix, MVS, VMS, NT, etc, with a slight bias toward MVS, but then she did spend some time at IBM working on security.

Network security is separated into basic network security and distributed systems. These are straight forward and well covered. Novell Netware has its own section, as does distributed file systems, remote access and mobile computing. Kerberos is covered as part of the section on authentication, but there are other aspects of authentication as well.

Management and analysis has a chapter on each topic. Management covers the job that needs to be done, the organization, employees, contingency planning and incident response. In analysis, we find risk analysis, auditing, vulnerability testing and intrusion detection. Through these chapters we have step by step methods, examples, techniques and financial considerations. If you are new to this field, you will not miss much if you follow her advice. If you are experienced, you might be reminded of something to pay attention to.

This a valuable resource from an experienced security professional who knows how to write. Recommended reading.