CONTENTS - Emerald
CONTENTS - Emerald
CONTENTS - Emerald
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
most productive things for an attacker to look for. These are past experience with similar<br />
systems, unclear design, `omniscient' security controls which can be circumvented,<br />
implicit sharing due to incomplete interface design, deviations from the policy and protection<br />
model, wrong assumptions about initial conditions, system speci c anomalies,<br />
operational shortcuts, poor development practices and implementation errors. These<br />
are discussed with many references, and used to support a aw hypothesis methodology<br />
for systematic penetration testing (i.e., attack).<br />
`E-MAIL SECURITY | HOW TO KEEP YOUR ELECTRONIC MES-<br />
SAGES PRIVATE'<br />
BSchneier<br />
J Wiley and Sons, ISBN 0-471-05318-X<br />
Bruce Schneier's latest book provides a good basic introduction to email security.<br />
He starts o with a discussion of privacy and email; the threat model ranges from<br />
personal enemies to governments, and the modus operandi can extend from router<br />
attacks to tra c analysis.<br />
This sets the stage for a discussion of security tools and mechanisms, from anonymous<br />
remailers to encryption. This is not as technical as in his book `Applied Cryptography',<br />
but aims to give aworking knowledge of PEM and PGP. He discusses some<br />
of the controversy surrounding the latter product, and describes how to set it up and<br />
use it.<br />
The appendices include the PGP documentation, and the RFC's which specify<br />
PEM. This book should appeal to all security managers involved in getting their companies<br />
on to the Internet, as well as to individuals who want to understand the practicalities<br />
of email encryption.<br />
`DATABASE SECURITY'<br />
Silvano Castano, Mariagrazia Fugini, Giancarlo Martella, Pierangela Samarati<br />
Addison-Wesley, 1994; ISBN 0-201-59375-0<br />
This book covers database security, and much more. It starts o with an introduction<br />
to database technology, and continues to provide a grounding in modern computer<br />
security concepts, from abstract access control models through to the gritty detail of<br />
elded products such asRACF and a number of multilevel Unices.<br />
Having dedicated a little over two hundred pages to this foundation, it goes on<br />
to spend the same again on examining the various problems encountered in building<br />
secure database systems and to describe a number of experimental solutions. The<br />
various mechanisms used in existing multilevel systems | integrity lock, kernelised,<br />
replicated and trusted subject architectures | are described rst, and experimental<br />
multilevel systems such as SeaView are compared with commercially available products.<br />
Next, there are chapters devoted to statistical security techniques and intrusion<br />
detection, and nally the last chapter gives an extensive overview of current research<br />
directions, including active and object-oriented databases, message lters, ORION and<br />
SORION, and models by Bertino-Wiegand and Millen-Lunt. In conclusion, this is a<br />
thorough book, and a perfectly suitable introduction for graduate students wishing to<br />
do work in the eld.<br />
49