Wednesday, November 20, 2019

Book Review - "Elementary Information Security, 3rd ed." by Richard E. Smith

This book first came to my attention several years back when the first edition received glowing reviews, including recommendations for its use as a study guide for the CISSP exam. The third edition was recently released, and I pre-ordered it, considering it for use in my teaching of both undergraduate and postgraduate programs, as well as CISSP prep courses.

Table of Contents

Chapter 1, Security from the Ground Up - This starts with a very relatable (important for undergraduates with no business experience) small business scenario ("Alice's Arts") then introduces the NIST Risk Management Framework (SP800-30, -37, -60, -53, FIPS 199) along with related concepts (the CIA triad, various attacks, controls, etc.). There is no mention of ISO 27005, FAIR and other approaches.

Chapter 2, Controlling a Computer - Essentially "Platform Architecture" - computer architecture, software concepts, programs, processes, buffer overflows, etc.

Chapter 3, Controlling Files - essentially a high-level look at access control and execution policies, with a discussion of malware and a small section on vulnerability and patch management. Curiously, there is no discussion of mandatory access control systems, especially multi-level (Bell-LaPadula) access control, role-based access control, etc. (although capabilities are discussed briefly) - but see below.

Chapter 4, Sharing Files - This chapter focuses on discretionary access control: the permissions in *ix and ACL's in MacOS and Windows. It then digresses into a discussion of logging and monitoring, and a discussion of standards compliance is tacked on at the end.

Chapter 5, Storing Files - This chapter places a description of storage media and disk formats within the context of forensic investigation. Towards the end, it digresses into a discussion of operating system layering and I/O operations.

Chapter 6, Authenticating People - Here we come to discussion of authentication factors, password systems (in some detail), tokens and biometrics, with some discussion of threats and policy mixed in.

Chapter 7, Encrypting Files - This chapter provides an introduction to the basic concepts of cryptology; some discussion of classical cryptosystems is followed by a nicely-pitched discussion of some fundamental concepts such as block and stream ciphers, Vernam encryption, etc. before turning to coverage of practical file encryption programs and finally a brief treatment of DRM.

Chapter 8, Secret and Public Keys - This chapter addresses the key exchange problem along with other issues in key management. There is a minimal mathematical treatment of Diffie-Hellman and RSA, as well as hash functions, digital signatures and certificates. Good to see quantum cryptanalysis and post-quantum cryptography getting some discussion, too.

Chapter 9, Encrypting Volumes - This chapter further refines the ideas introduced in Chapter 7, providing more detail on DES and AES, and discussion of block cipher modes before building up a good description of a trusted boot operation. Along the way, various attacks are discussed.

Chapter 10, Connecting Computers - lays down the basics of networking with a security perspective.

Chapter 11, Networks of Networks - looks at the evolution of the modern Internet, routing protocols, IP and also introduces tools like nmap and Wireshark.

Chapter 12, End-to-End Networking - Transport layer protocols, DBS, firewalls & NAT and authentication protocols.

Chapter 13, Network Encryption - This chapter discusses the implementation of crypto at different levels of the protocol stack; along the way it addresses policy issues, problems of key management and distribution and the practicalities of SSL/TLS, IPSec and WPA2.

Chapter 14, Internet Services and Email - This chapter introduces the basic operation of SMTP, POP and IMAP and then discusses the related security issues: spam, scams, phishing, viruses, etc. Enterprise firewalls reappear towards the end of this chapter.

Chapter 15, The World Wide Web - The final chapter deals with the operation of the Web and the security and management challenges it poses. The latter part of the chapter deals with web application architecture, various attacks (XSS, injection, etc.) and the OWASP Top 10.

The book is supplemented by online resources which are available for one year after registration. Importantly, these include two additional chapters:

Chapter A, Enterprise Computing - This deals with insider threats, social engineering, management and policies, personnel security, physical security and some coverage of resilency and backups.

Chapter B, Governments and Secrecy - Here we find the missing discussion of classifications and clearances, multi-level security, trusted systems, etc.

The online resources also include flashcards for testing understanding of key terms and definitions, along with review slides and an image bank containing the figures from the book. An instructor site containing Powerpoint presentations, test questions and an instructor's manual is available, as well as a cloud-based virtual environment for exercise scenarios.

This is a book for reading cover to cover, rather than dipping into; the concepts build up from a crude understanding to more refined approaches ('continuous process improvement'). As can be seen from the outline above, concepts such as the use of AES in CBC mode are gradually built up over several chapters. High-level concepts - some of the 'fundamental truths' of infosec - are interspersed in the material, and the tail end of each chapter sometimes wanders off tangentially into topics which seem not to fit (e.g. compliance in chapter 4).

The text is interwoven with good examples of attacks and discussion of the relevant security issues, which help to leaven the dry theoretical concepts. The result is a quite readable textbook, rather than a reference book.

Each chapter concludes with a list of important terms and abbreviations introduced in that chapter, a set of review questions and a number of practical exercises. These are appropriate to second- or third-year undergraduates.

Some curious omissions remain: nothing on secure software development, the brief discussion of incident response does not mention the cyber kill chain or security operation centers, and databases merit only two-and-a-half pages in the final chapter. Penetration testing gets a one-sentence treatment and is not clearly differentiated from security audits and network security assessment or vulnerability scans.

The third edition claims to "cover the core learning outcomes for information security education published in the ACM's 'IT 2008' curricular recommendations", but it really ought to be based on the CSEC2017 Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity which a) were jointly developed by the ACM, IEEE and IFIP and b) are more up-to-date, as well as the knowledge, skills and abilities (KSA's) of the NICE Cybersecurity Workforce Framework. However, the key concepts are given a contemporary treatment, and it should be possible to map to the more modern frameworks.

For CISSP candidates, this book should really be considered complementary to a CISSP-focused reference (e.g. Warsinske et. al., The Official (ISC)2 CISSP CBK Reference, Sybex, 2019). It provides a much more readable overview of the Security Engineering domain, the Communications and Network Security domain, the Identity and Access Management domain, a large part of the Security and Risk Management domain and some of the Operations domain. The online chapters are essential for CISSP candidates, while the end-of-chapter review questions and exercises are less directly relevant.

Overall, this is one of the best cybersecurity textbooks out there, covering fewer topics, but in more depth, than Ross Anderson's "Security Engineering: A Guide to Building Dependable Distributed Systems" (which is over 300 pages larger). It is certainly much more readable, much better structured and much more accurate than most of the standard CISSP review books I've had the misfortune to encounter.