Elementary Information Security

Posted on by Ben Rothke

When I first got a copy of Elementary Information Security, based on its title, weight and page length, I assumed it was filled with mindless screen shots of elementary information security topics, written with a large font, in order to jack up the page count.  Such an approach is typical of far too many security books.  With that, if there ever was a misnomer of title, Elementary Information Security is it. 

For anyone looking for a comprehensive information security reference guide - Elementary Information Security is it. While the title may say elementary, for the reader who spends the time and effort to complete the book, they will come out with a complete overview of every significant information security topic. 

The book is in fact a textbook meant to introduce the reader to the topic of information security.  But it has enough content to be of value to everyone; security notices or experienced professional. 

Author Richard Smith notes that if you want to get a solid understanding of information security technology, you have to look closely at the underlying strengths and weakness of information technology itself, which requires a background in computer architecture, operating systems and computing networking. 

With that, Elementary Information Security is a tour de force that covers every information security topic, large and small. The book also provides a relevant overview of the peripheral topics that are embedded into information security.  

In 17 chapters covering over 800 pages, the book is well organized and progressively gets more complex.  Two large chapters of the book are freely available online, with chapter 3 here and chapter 9 here

The following are the chapters in the book, which shows a comprehensive overview of all of the core areas around information security: 

  1. Security From the Ground Up
  2. Controlling a Computer
  3. Controlling Files
  4. Sharing Files
  5. Storing Files
  6. Authenticating People
  7. Encrypting Files
  8. Secret and Public Keys
  9. Encrypting Volumes
  10. Connecting Computers
  11. Networks of Networks
  12. End-to-End Networking
  13. Enterprise Computing
  14. Network Encryption
  15. Internet Services and Email
  16. The World Wide Web
  17. Governments and Secrecy 

The early chapters focus on the fundamentals of computers and networking, and the core aspects of information security.  The chapters progress in complexity and deal with distributed systems and more complex security topics.  The mid-chapters deal with cryptography, starting with an introduction to the topic, into more complex topics and scenarios.  One is hard-pressed to find an information security topic not covered in the book. 

Chapter 1 is on Security from the Ground Up and lays the groundwork for what security is.  Various topics around risk are detailed; such as identifying, prioritizing and assessing risks. 

Chapter 2 is on Controlling a Computer and reviews the underlying architecture around computers.  

For some people, much of their learning about information security is based on rote memorization.  In the book, Smith eschews this and each chapter closes with a glossary of topics, and penetrating questions.   There are also problem definitions which detail practical situations with the hope that the reader can create and adequate security solution.  The reader who spends extra time reviewing the questions will find that it will significantly help in their mastering the myriad topics.

The goal of the questions and exercises is to make the knowledge real. Some of the exercises include watching movies with computer security related topics such as The Falcon and the Snowman,Crimson Tide, and others.  For example, in The Falcon and the Snowman, the author asks the reader to identify two types of security measure that would have helped prevent theft of the crypto keys.  InCrimson Tide, it asks the reader to consider the missile launch procedures portrayed in the film and asks if it is possible for a single person to launch a nuclear missile.  Another scenario is that under what circumstances a recipient should accept an unauthenticated message.  It also asks the reader to give an example of a circumstance in which accepting an unauthenticated message would yield the wrong result.

The book is not meant as a For Dummies guide to the topic, and it assumes a college-level comprehension of relevant mathematical concepts.  Note though that the requisite math is detailed in the sections on encryption and cryptography. 

The book is also the first textbook certified by the NSA to comply with the NSTISSI 4011 standard, which is the federal training standard for information security professionals.  The author notes on his blog that in order to gain that certification, he had to map each topic required by the standard to the information as it appears in the textbook. 

Given the value of the book, (ISC)² should consider using this title as a reference for their CISSPcertification.   With all of the CISSP preparation guides available, even the Official (ISC)2 Guide to the CISSP CBK, one is hard pressed to find a comprehensive all-embracing security reference such as this.  Some may even want to simply use this book as their definitive CISSP study guide.

For those looking for a single encyclopedic reference on information security, they should look no further than Elementary Information Security.   Richard Smith has written a magnum opus on the topic, which will be of value for years to come. 

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Ben Rothke

Senior Information Security Manager, Tapad


data security identity management & governance

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community