Taking care of business in the hackeruniverse

The abrupt interest in the "information superhighway" combined with the continued slide in computer prices has provided unparalleled opportunities for computing applications, while providing few checks on the potential uses of the technology.

This situation is not necessarily new: "hackers" have been attacking computer systems worldwide for many years. However the current-day accessibility of machines allows almost any person - be it a secretary, disgruntled employee or an enterprising hacker to gain experience easily of how to use a computer in ways unplanned for by the original software designers. This is evidenced in the growing reports of computer crime and technology "accidents"; of banks and other companies being defrauded and damaged by malicious users. However, the problem is not limited to that being reported, as many institutions do not report their losses in an attempt to avoid bad publicity.

With the growing interest, worldwide, in computer inter-connectivity, the need for teaching good security techniques at all levels becomes increasingly important, allowing software designers to build systems more easily audited and helping managers to be more cognisant of the various security implications in a world of increasing dependence on information technology.

In Karen Forcht's book, a broad coverage of the computer security field is presented, directed towards managers in the information technology industry. The book is extremely well structured in its layout, giving complete references, indexes and exercises for every section; as such, it would do well as background reading for many a course. The coverage in the book is excellent, ranging from the basic end of the field: protecting the hardware of the computer system; to the more general concepts such as professional guidelines for ethical use of computers, taken from a variety of computer societies. Throughout the book, extensive background information behind many of the problems in current state-of-the art security systems is given, often in the form of quotes from other journals. This gives a good feel to the book, making it very comfortable for the reader. However, because of the broad range of subjects and background material, a fair amount of detail is lost, especially in the areas where it may be useful in a higher level, such as undergraduate course. Unfortunately, the book is also biased towards the United States viewpoint and so anyone using the book for guidelines on security should be aware of this.

Forcht's book provides many checklist oriented guidelines, for effective management of a computer installation. This book would give anyone with little prior knowledge of information technology a good grounding in the issues surrounding security and maintenance of a computer system.

Bhaskar presents a more rigorous approach in his book: Computer Security: threats and countermeasures, giving a more formal definition and grounding of security concepts, which would be useful at an undergraduate level of teaching. Bhaskar's approach is based on an Esprit project to provide a study of information technology security and to provide guidelines for future European standards.

Bhaskar presents a model early on in the book to classify types of security threats in three ways: as active or passive, physical or logical and deliberate or accidental. Using this classification system, a review of security threats is presented, together with some of the solutions used to prevent them. This book provides a set of information very similar to that found in Forcht's book, although Forcht gives a more complete review, albeit less formally.

In the second part of the book however, Bhaskar presents his model known as MoSel: a Model for Security development. His model provides a formal approach for categorising and reviewing the security risks in a system. Using this analysis, he describes how the security implementation should be approached and later audited. Bhaskar puts forward the idea that security auditing is one of the most critical aspects of IT security and provides an extensive study of methods of auditing and calls for more standards in this field.

The final part of the book provides an example of the use of the MoSel model in a "real-world" application, the design of a secure system for treasury management of an institution. The final section successfully solidifies many of the earlier concepts as the initial presentation of ideas in the book is often fairly abstract. Bhaskar gives a thorough set of appendices giving information on the various standards bodies involved in security and overviews of some of the security classification systems currently in use. Unfortunately, Bhaskar's book suffers a major problem: it lacks a bibliography despite frequent citations throughout the text. This severely handicaps the book as a reference text.

Forcht's book gives a wealth of interesting background information throughout the field of systems security, and as such would be interesting reading for any person wishing to explore the security issues of information technology. However its use as a reference text is limited by the lack of detail.

Bhaskar's book would be more useful for reference, and the model presented in his book provides a fairly thorough system for analysing security at any site. The field of computer security is rapidly undergoing revision owing to the sudden wealth of network technology and growing accessibility of computers to people who need not be technically adept. Because of this, any book on the subject may well date quickly.

However, both books pay special attention to the ground-rules of security management, which will not go out of date quickly. Particular implementations of security systems will be evolving rapidly over the next few years, however a general education in security techniques, as presented in Forcht's book, and a good mechanism for evaluating the security of any system, are vital components in a successful overall security design for an organisation.

Nick Williams is research associate in the Systems Architecture Research Centre, the computer science department of City University.