BKSOCCFH.RVW   20060809

"Scene of the Cybercrime: Computer Forensics Handbook", Debra
Littlejohn Shinder, 2002, 1-931836-65-5, U$59.95/C$92.95
%A   Debra Littlejohn Shinder debshinder@...
%C   800 Hingham Street, Rockland, MA   02370
%D   2002
%E   Ed Tittel
%G   1-931836-65-5
%I   Syngress Media, Inc.
%O   U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amy@...
%O  http://www.amazon.com/exec/obidos/ASIN/1931836655/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1931836655/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1931836655/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   718 p.
%T   "Scene of the Cybercrime: Computer Forensics Handbook"

There are some good forensics books out there, but there are also a
number of forensics titles that are nothing more than pamphlets
suggesting that the reader get a copy of EnCase and fool around.  Then
there is this work.  I'm not sure how I got a review book that is four
years old, an eternity in the technical realm, and particularly in
security.  Astoundingly, Shinder produced a work that cut to the heart
of the necessary concepts, without piling on technical trivia that
would rapidly go out of date.  This volume is as relevant and valuable
today as it was when it came out.

The foreword notes that the author, herself from both a law
enforcement and a technical background, found that most technical
security people know little about law and legal procedures, and that
law enforcement personnel know next to nothing about computer
internals.  She set herself to provide geek info to the cops and cop
smarts to the geeks, and to compile a reference to other resources.

She has produced an admirably valuable text.

Chapter one starts out with a bit of a slip, stating that cybercrime
is a subcategory of computer crime, but then explains it in such a way
as to be basically identical.  However, Shinder goes on to provide an
excellent review of the problems in defining and categorizing
cybercrime, jurisdictional issues, and the difficulties in building a
team and infrastructure to fight cybercrime.  A concise history of
computer crime events and issues, and a review of common dangers,
makes up chapter two.  (The material on high-speed Internet is
somewhat dated, but the rest is excellent.)  In other hands, chapter
three's examination of the people involved in cybercrime would be a
rehash of old "hacker" stereotypes.  Instead, Shinder gives us
criminal psychology, profiling (and counterexamples to the
stereotypes), victimology, and the characteristics of a good
investigator.

Chapter four looks into computer hardware basics.  Techies will think
it simplistic, but the content is pitched just right for computer
neophytes who need the fundamental concepts and enough detail to step
up to further studies.  Some may think that the coverage of
networking, in chapter five, spends too much time on analogue
signalling and old LAN protocols, but you have to remember that
digital forensic investigators are not called upon to use standard
environments, but to assess the material found in arbitrary ones.  The
presentation of network intrusions and attacks, in chapter six, has
clear representation of the concepts, without deluging the reader with
quickly dateable minutia.

Chapter seven, turning to cybercrime prevention, presents general
information security concepts, with a concentration on networks and
cryptography.  (As with many, Shinder seems to be fascinated with
steganography out of all proportion to its importance.)  Implementing
system security, in chapter eight, is similar, but with greater
emphasis on specific settings.  (Although this is very helpful,
particularly to the home user, it has limited application to
forensics.)  Chapter nine looks at cybercrime detection techniques,
primarily audit information in its various forms.  The collection and
preservation of digital evidence is an important and difficult task.
Chapter ten does not go into the same level of detail as Michael A.
Caloyannides' "Computer Forensics and Privacy" (cf. BKCMFRPR.RVW),
"Computer and Intrusion Forensics" by Mohay et al (cf. BKCMINFO.RVW),
Kruse and Heiser's classic "Computer Forensics" (cf. BKCMPFRN.RVW),
the somewhat challenging "Forensic Discovery" by Farmer and Venema
(cf. BKFORDIS.RVW), and Brian Carrier's resourceful "File System
Forensic Analysis" (cf. BKFSFRAN.RVW), but presents a broad overview,
and has good advice on evidence management and a useful list of
resources.  Legal systems, types of laws, jurisdictional issues, and
the preparation of a case is covered in chapter eleven, which extends
"A Guide to Forensic Testimony" by Smith and Bace (cf. BKGDFOTS.RVW).

For anyone just becoming involved in digital forensics, the book is an
excellent introduction and overview of the field in its proper
context.  For those already involved, this manual is both a solid
reminder of what needs to be taught to those becoming involved in
computer forensics, and also a resource for a number of areas that the
individual specialist may not cover every day.  Despite the age of the
work, in this fast changing environment, Shinder has produced a text
of classic depth and lasting value.  (Hopefully Syngress will get her
to produce updates on a regular basis.)

copyright Robert M. Slade, 2006   BKSOCCFH.RVW   20060809


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Are you sure that [nine nine nine nine nine nine is] random?
That's the problem with randomness.  You can never be sure.
     www.unitedmedia.com/comics/dilbert/archive/dilbert-20011025.html
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKWS2K3S.RVW   20060815

"Windows Server 2003 Security", Blair Rampling, 2003, 0-7645-4912-X,
U$49.99/C$74.99/UK#34.95
%A   Blair Rampling
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-7645-4912-X
%I   John Wiley & Sons, Inc.
%O   U$49.99/C$74.99/UK#34.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/076454912X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/076454912X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/076454912X/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   577 p.
%T   "Windows Server 2003 Security"

Part one addresses security fundamentals.  Chapter one looks at
security threats, drawing a distinction between insider and outsider
activities, and listing a few attack types.  (Interestingly, the piece
starts out with the statement that the job of the security
administrator is to apply patches and to monitor for intrusions.)  The
network and system security overview, in chapter two, enumerates the
security components, but provides very little in the way of
explanation.  Security architecture planning, in chapter three, seems
to be restricted to standardization and documentation.  Documentation
is always good, but standardization may not be: it increases the risk
of a universal failure.  (We also get the usual advice to disable
"unnecessary" services, without any discussion of "necessary.")
Chapter four covers the installation of various auditing tools, but
without any examination of analysis requirements.  Various security
related components of Windows 2003 are listed in chapter five.

Part two contains an overview of system security.  Chapter six deals
with the installation of some of the services mentioned in five.
Security applications, in chapter seven, provides installation
instructions, but limited details for security features of the IIS
(Internet Information Services) Web server, ftp server, SMTP mail, and
DNS.

Part three moves to authentication and encryption.  Chapter eight
gives an introduction to random topics in security, and then deals
with installation of EFS (Encrypting File System) and PGP (Pretty Good
Privacy).  How to turn on SSL (Secure Sockets Layer) for IIS and SMTP
Server is outlined in chapter nine.  "Windows Server 2003
Authentication" tells you how to initiate the use of smartcards and
IIS certificates in chapter ten.  Chapter eleven provides some setting
information for Kerberos, but the fact that Rampling insists that
Kerberos is based on asymmetric encryption makes the conceptual
information rather suspect.  Chapter twelve gives a terse overview of
public key infrastructure.  Screenshots of the dialogs for installing
and configuring certificate services are in chapter thirteen.  Chapter
fourteen presents more pictures of starting Point-to-Point Tunnelling
Protocol (PPTP) and Layer 2 Tunnelling Protocol (L2TP), but manages to
leave the impression that these technologies give you encryption
protection.  IPSec, in chapter fifteen, gets more figures and little
explanation.

Part four looks at the Microsoft Internet Security and Acceleration
(ISA) Server firewall.  Chapter sixteen lists various firewall and
cache functions.  Installation, in chapter seventeen, is the usual
series of screenshots.  Caching is covered in eighteen.

This is the usual "documentation replacement" type of text.  In regard
to security, it does bring together the major functions from Windows
2003 into one volume, but provides no additional help (and numerous
errors).

copyright Robert M. Slade, 2006   BKWS2K3S.RVW   20060815


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                That thought got run over as it was crossing my mind.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKCMPSEC.RVW   20060819

"Computer Security Basics", Rick Lehtinen/Deborah Russell/G. T.
Gangemi Sr., 2006, 0-596-00669-1, U$39.99/C$51.99
%A   Rick Lehtinen
%A   Deborah Russell
%A   G. T. Gangemi Sr.
%C   103 Morris St., Suite A, Sebastopol, CA   95472-9902
%D   2006
%G   0-596-00669-1
%I   O'Reilly and Associates, Inc.
%O   U$39.99/C$51.99
%O  http://www.amazon.com/exec/obidos/ASIN/0596006691/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596006691/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596006691/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   296 p.
%T   "Computer Security Basics, Second Edition"

I've been waiting a long time for an updated version of this classic.

"Computer Security Basics" was a pretty accurate name for the first
edition.  The book was an overview of many aspects that go into the
security of computers and data systems.  While not exhaustive, it
provided a starting point from which to pursue specific topics that
required more detailed study.  Such is no longer the case.

Part one looks at security for today.  Chapter one starts with 9/11,
then talks about various infosec groups, and only then gets to an
introduction of what security is, and how to evaluate potential
loopholes.  The definition points out the useful difference between
the problems of confidentiality and availability, and now adds
integrity.  The distinction between threats, vulnerabilities and
countermeasures is helpful, but may fail to resolve certain issues.
Ironically, in view of the title of this section, chapter two gives
some historical background to the development of modern data security.

Part two deals with computer security itself.  Chapter three looks at
access control, but is somewhat unstructured.  Malware and viruses
receive the all-too-usual mix of advice and inaccuracies in chapter
four.  Policy is supposed to be the topic of chapter five, but most of
the text is concerned with matters of operations.  Internet and Web
technologies, and a few network attacks, are listed in chapter six.

The prior inclusion of network topics is rather funny, since part
three delves into communications security.  Chapter seven turns first
to encryption, which could be presumed to have applications in more
than communications, although it is important in that field.  The
material on encryption is quite scattered and disorganized, and the
explanation of asymmetric systems is probably more confusing than
helpful.  A lot about networks, a list of network security components,
and not much that is useful makes up chapter eight.

Part four turns to other types of security.  Chapter nine takes a
confused look at physical security, and includes biometrics: as with
encryption and communications, the topic that could be related to
physical security, but might more properly be dealt with elsewhere.
Chapter ten reviews wireless LANs, mentioning threats, but only
tersely listing security measures, with no detail for use or
implementation.

The original version of the book was a good starting point for
beginners who had to deal with computer security at a basic level.
This second edition is a tremendous disappointment: Lehtinen has done
a disservice not only to Russell and Gangemi, but also to those
relying on this foundational guide.  The tone of the first edition may
have been too pompous, but the contents were informed by the primary
concerns for information security.  This update has introduced random
new technical trivia, muddied the structure and flow, and reduced the
value of the reference overall.

copyright Robert M. Slade, 1993, 2002, 2006   BKCMPSEC.RVW   20060819


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Information is light.  Information, in itself, about anything, is
light.                               - Tom Stoppard, `Night and Day'
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSTLTCB.RVW   20060819

"Steal This Computer Book 4.0", Wallace Wang, 2006, 1-59327-105-0,
U$29.95/C$38.95
%A   Wallace Wang bothecat@...
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2006
%G   1-59327-105-0
%I   No Starch Press
%O   U$29.95/C$38.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593271050/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593271050/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593271050/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   361 p. + CD-ROM
%T   "Steal This Computer Book 4.0: What They Won't Tell You About the
       Internet"

This book is still being promoted as a security text.  The table of
contents lists a bewildering variety of topics, most related to
security breaking.  The introduction doesn't really provide much
information about what the book is about, either, except that it
appears to be big on self-improvement.  It seems to imply that the
book isn't meant as a how-to manual for hacking, but more as a
philosophical statement urging people to think for themselves.  In
response, all that I can say is that neither the promotion of the book
nor the text itself stresses this intention, and I personally cannot
find any utility in the volume for teaching critical thinking skills.

Part one is supposed to be a historical look at "hackers."  Chapter
one says that curiosity is good, and the US government did very bad
things to some of its own people.  Phone phreaking stories are in
chapter two.  Chapter three provides random information about social
engineering (aka "lying") and locks.

Part two turns to early (PC era) computers.  Chapter four tells you
how to write an ANSI bomb (be still my beating heart), and retails
haphazard (old) information about (old) viruses.  Stories about
trojans and misinformation about worms is in chapter five, while tales
of software copyright are in six.

Part three moves to the Internet.  Chapter seven tells you where to
find "hackers," and tries to confuse the distinction between whitehat
and blackhat.  Port scanning and wardriving get an overview in chapter
eight.  Nine lists a few password attacks.  Minimal material on
rootkits makes up chapter ten.  Chapter eleven starts with a
discussion of filtering and DNS (Domain Name Service) poisoning, and
then lists some examples of censorship.  Chapter twelve takes a quick
peek at file sharing networks, without much review of the technology.

Part four looks into "real world" hackers.  Just what this might be is
not clear, but might be intimated by the fact that chapter thirteen
lists Internet frauds.  Fourteen gets into cyberstalking and gathering
information about individuals online.  The fact that corporate news
sources have been caught faking "news" photographs and other items is
used, in chapter fifteen, to suggest that blogs are a better source of
news.  Various hacktivist activities are described in chapter sixteen.
Chapter seventeen lists some online hate activities.

I am afraid to say that I agree with Wang on part five: the future of
online malicious activity will increasingly involve profit.  Chapter
eighteen looks at identity theft and spam.  Web advertising, mostly of
the pop-up type, is in nineteen.  Chapter twenty reviews spyware.

Part six purportedly provides information about protection.  Chapter
twenty-one suggests how to save money via the Internet (without really
emphasizing the fact that you have to be pretty careful pursuing that
objective).  Chapter twenty-two notes a few things about forensics and
mentions ways to get rid of some information automatically stored in
your computer.  Hardening your computer is a good idea, but the
content of chapter twenty-three is unreliable: it is unlikely to help
secure your computer, and may end up damaging it.

Bottom line?  This book is unfocused in conception and hasty in
execution.  Yes, it is aimed at a technically unsophisticated
audience, but yelling "hey, watch out" is unlikely to be of help to
anyone.  (One suspects that it would be appropriate for this book to
have a "code orange" cover.)  On the one hand, it does not provide the
esoteric information that both the author and publisher promise, so it
isn't any threat.  On the other hand, the author demonstrates no
particular technical skill or knowledge on any topic, so it hasn't any
other value, either.  This random collection of information may
provoke some thought in non-technical computer users, but browsing of
the net for yourself is probably much, much more useful in that
regard.  This edition is much more technically focused than the first
edition, but no more useful.

copyright Robert M. Slade, 1998, 2006   BKSTLTCB.RVW   20060819


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There is nothing in this world constant but inconstancy.     - Swift
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSCLGMN.RVW   20060821

"Security Log Management", Jacob Babbin et al, 2006, 1-59749-042-3,
U$49.95/C$69.95
%A   Jacob Babbin
%A   Dave Kleiman
%A   Everett F. Carter
%A   Jeremy Faircloth
%A   Mark Burnett
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%E   Esteban Gutierrez
%G   1-59749-042-3
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597490423/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597490423/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490423/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   333 p.
%T   "Security Log Management: Identifying Patterns in the Chaos"

Chapter one reviews the problem of masses of data.  The text suggests
that there are solutions, and even gives some examples, but the
writing seems to be intended only for an audience that is already
skilled, working, and well familiar with those very solutions.
Sections of sample code are provided (here and at other places in the
book), but they tend to be of limited utility because significant
chunks of the actual functional parts are missing.  Various tools for
IDS (intrusion detection system) reporting are described in chapter
two.  Fewer tools are listed for firewall reporting in three.
Although entitled "Systems and Network Device Reporting," chapter four
looks solely at Web server logs, and that only for a single type of
attack or situation.  However, the restriction of topic is somewhat
ameliorated by the best writing in the book: the coverage of the
analysis is clear and an excellent introduction to WEb server
forensics.  Chapter five has scripts for text reporting (illustrated
by graphical presentation of the data, so it is somewhat misleading).
Chapter six suggests that you should do Enterprise Security
Management, and notes some of the difficulties you may encounter, but
doesn't provide any help.  Despite the title of "Managing Log Files
with Microsoft Log Parser," chapter seven merely talks about generic
file management.  Chapter eight does provide some Microsoft Log Parser
SQL code for reporting, and has a few other useful suggestions.  More
Log Parser SQL code, this time for formatting CSV (comma separated
version) data, is in chapter nine.

Basically, if you already know how to deal with event logs, log data,
and log data analysis, this book will provide you with some
suggestions about tools that you might want to try.  If you are
already struggling with network forensics and intrusion detection, the
material in this volume won't help much.

copyright Robert M. Slade, 2006   BKSCLGMN.RVW   20060821


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The danger in weakening encryption is that our infrastructure
would become even less secure.
                           - Bill Crowell, former NSA deputy director
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKJSN2MS.RVW   20060823

"Just Say No to Microsoft", Tony Bove, 2005, 1-59327-064-X,
U$24.95/C$33.95
%A   Tony Bove www.tonybove.com
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2005
%G   1-59327-064-X
%I   No Starch Press
%O   U$24.95/C$33.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/159327064X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/159327064X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/159327064X/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   243 p.
%T   "Just Say No to Microsoft"

The introduction is fairly opinionated, but buried in the meditation
is an indication that the book is supposed to be of assistance to
those who would like to explore alternatives to the Microsoft software
that dominates desktop computing.

Part one purports to be about the revolution away from Microsoft.
Chapter one seems to be a history of Microsoft, and how it came to
have a near monopoly.  While the writing is entertaining, Bove
recycles some mythical and "almost" accurate tales of Microsoft's
rise.  Security weaknesses are pushed, but mostly in terms of
anecdotal reports.  (The danger of a monoculture is mentioned, but
given little analysis.)  The author appears to be a Mac fan, so it
isn't surprising that chapter two is a promotional piece about that
product line, primarily emphasizing the idea that the Mac looks cool.
(The, rather brief, examination of why machines running MacOS are more
secure than Microsoft Windows points out the security provisions that
are present on the Mac, but doesn't stress the fact that the functions
are all there in Windows but, like any typical Mac system, the
protection processes normally just aren't used.)  The Linux operating
system (and the general concept of open source software) is outlined
in chapter four.  Interestingly, Bove notes many situations where
Linux is superior to the Mac, and this chapter is very well written
and persuasive.

Part two looks at options for non-Microsoft applications software,
starting with the ubiquitous Microsoft Word word processor (in chapter
four).  Word security problems are mentioned, although, in the
discussion of RTF (Rich Text Format) there is no reference to the
Microsoft-only extensions that have security implications.  (Here, and
in other places in the book, there is an odd insistence upon the
benefits of using PDF; Adobe's Portable Document Format; despite the
security problems with it and the lack of application support.)
Chapter five deals with the other major Microsoft Office programs
(Excel and PowerPoint).  (The deliberation on PowerPoint concentrates
on the danger of "presentations" in general, rather than faults of the
software itself.)  Most of the review of music and video, in chapter
six, centres on digital rights management.

Part three turns to network applications.  Chapter seven examines
email and viruses.  Despite some errors (the first email virus spread
in 1987, not 1999) the advice on attachments, HTML (HyperText Markup
Language) formatting of email messages, and fraud is very good,
although it does mean that the suggestions about alternative mailers
is rather secondary.  Some information about LAN options is available
in chapter eight, but the point of the chapter is not clear.  Web
browser dangers, in chapter nine, points out issues with spyware,
cookies, and ActiveX.

The book concludes in part four.  Chapter ten, using the twelve step
addiction recovery program as a model, recommends that you assess what
you are doing with computers (and what you need), get assistance
installing and setting up alternative software, and then convert.
Another opinion piece on Microsoft makes up chapter eleven.

(An appendix lists some Websites that may provide various forms of
help, either with alternative software or safer settings of Microsoft
products.)

Although overly verbose and biased at times, this publication does
provide suggestions and potential resources for those interested in
pursuing options other than the standard Microsoft programs.  These
alternatives may be examined for reasons of cost or functionality, but
the primary thrust and argument in the volume seems to be based on
security considerations.  Even for those who are not concerned about
avoiding dependence upon Microsoft there is good advice on making
Microsoft products more secure than they are by default.  So, whether
or not you are interested in saying "No" to Microsoft, you will find
this book useful even if you are merely concerned with the security of
your machine and applications.

copyright Robert M. Slade, 2006   BKJSN2MS.RVW   20060823


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Success is the ability to go from one failure to another with no
loss of enthusiasm.                              - Winston Churchill
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKPDRPIT.RVW   20060823

"A Primer for Disaster Recovery Planning in an IT Environment",
Charlotte J. Hiatt, 2000, 1-878-28981-0
%A   Charlotte J. Hiatt
%C   1331 E. Chocolate Ave., Hershey, PA   17033-1117
%D   2000
%G   1-878-28981-0
%I   IRM Press/Idea Group
%O   800-345-432 717-533-8845 fax: 717-533-8661 cust@...
%O  http://www.amazon.com/exec/obidos/ASIN/1878289810/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1878289810/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878289810/robsladesin03-20
%O   Audience a Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   276 p.
%T   "A Primer for Disaster Recovery Planning in an IT Environment"

It is interesting to note that the introduction says nothing about the
purpose of the book (and does suggest that those planning for disaster
recovery can benefit from bringing in consultants).

There are several oddities in this work.  The chapters are not
numbered, and most are very short.  The Appendices (mostly forms) are
longer than the text of the book itself.

The chapters cover topics such as a definition of a disaster (which
doesn't define so much as lay out categories), examples of disasters,
statistics supporting the need for disaster planning, a recommendation
to obtain management support, a terse list of the composition of the
planning team, desirable characteristics of the team coordinator, risk
and business impact analysis (good as far as it goes, but fairly
standard), options for offsite data storage, and system recovery
options.  The book suggests evaluating alternatives for plan
development (including the aforementioned consultants) and defining
the assumptions and limits of the strategy.  (The components that go
into the written plan gets more space than the procedures for
emergency response.)  Emergency management, disaster recovery teams, a
notification directory, emergency operations centre, training,
testing, maintenance, invocation, and media management all get
relatively brief overviews.  The book also lists other resources and
references.

While the material is fundamentally sound, it is neither extensive nor
particularly related to information technology as such.  Details of
options and alternatives are scant.  This is certainly a worthwhile
reference as a reminder for anyone involved in disaster recovery
planning, and as a guide for the process.  For those dealing
specifically with contingency plans for computer system operations,
additional resources will be required.

copyright Robert M. Slade, 2006   BKPDRPIT.RVW   20060823


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The proper function of man is to live, not to exist. I shall not
waste my days in trying to prolong them. I shall use my time.
                                                        - Jack London
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKPGPGPG.RVW   20060823

"PGP & GPG: Email for the Practical Paranoid", Michael W. Lucas, 2006,
1-59327-071-2, U$24.95/C$32.95
%A   Michael W. Lucas mwlucas@...
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2006
%G   1-59327-071-2
%I   No Starch Press
%O   U$24.95/C$32.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593270712/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593270712/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593270712/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   196 p.
%T   "PGP & GPG: Email for the Practical Paranoid"

The introduction states that while the book does cover foundational
encryption concepts, it is primarily intended to explain the
appropriate use of the PGP (Pretty Good Privacy) and GPG tools.  This
preamble also provides a history and description of PGP, OpenPGP, and
GnuPG.  The rudimentary outline is good, but does have some errors: an
ITAR (International Traffic in Arms Regulations) offence would be a
criminal (rather than civil) matter so the US government never did
launch a lawsuit against software author Phil Zimmermann (although
other lawsuits were launched surrounding the program), and the program
was produced before the book of the source code was published.  (Lucas
also retails the myth that the NSA has a secret computer that can
crack the strongest of encryption algorithms: to those who truly do
understand encryption technology the suggestion is patently absurd.)

Chapter one outlines the basics of cryptography, but adds more errors:
for example, a code doesn't relate to concealment, and substitution is
not the only form of ciphering.  While the explanations are sometimes
far from clear, generally the ideas are presented reasonably, although
in a simplistic manner.  (Here and at other places in the book, Lucas
attempts to inject the occasional note of levity.  As with similar
attempts by other authors, these jokes will not help the reader  to
understand or remember of the material.  However, at least Lucas keeps
the quips to a minimum, and they aren't too annoying.)  Elementary
components of OpenPGP are related in chapter two.  Installation
instructions for PGP Desktop are provided in chapter three, along with
additional suggestions and information about locations for keys.
These are useful for those with an intermediate or advanced level of
familiarity with Windows, but there is insufficient detail or
explanation provided for novice users, who appear to be the most
appropriate target audience for thia book.  Chapter four deals with
the installation of GnuPG and the Windows Privacy Tray (WinPT)
graphical front end, and more details are provided for this form,
although the definition is still weak.  Specific operations and
activities regarding the building and use of the Web of Trust are
outlined in chapter five, but the implications and underlying concepts
are not explained well even though some of the more esoteric
ramifications are mentioned.  Key management dialogue boxes are
described for PGP in chapter six, and GnuPG in seven.  Chapter eight
is an introduction to the idea of (and some of the problems with)
using OpenPGP with email.  Various settings for PGP and email are in
chapter nine.  Installation of plugins for GnuPG and the Outlook,
Outlook Express, and Thunderbird mailers is described in chapter ten.
Various warnings about using PGP and GnuPG are sounded in chapter
eleven.  Most are reasonable, but some betray a lack of background
(SHA-1 is more susceptible to the birthday attack than to forgery).

This could be a helpful guide if you are new to encryption and wish to
install and use PGP Desktop or GnuPG.  However, note that the
background information is limited, and sometimes inaccurate.  For most
users this will not be an issue.  More importantly, beyond the basic
operations of the programs there is little in the way of advice on the
finer points of "appropriate" use of encryption services.  A handy
guide to obtaining and installing the software, but, beyond that, you
are pretty much on your own.

copyright Robert M. Slade, 2006   BKPGPGPG.RVW   20060823


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Reading is to the mind what exercise is to the body.
                                                     - Joseph Addison
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKWW3IWB.RVW   20060823

"World War 3: Information Warfare Basics", Fred Cohen, 2006,
1-878109-40-5
%A   Fred Cohen fred.cohen at all dot net
%C   572 Leona Dr, Livermore, CA   94550
%D   2006
%G   1-878109-40-5
%I   Fred Cohen and Associates
%O   925-454-0171 all.net
%O  http://www.amazon.com/exec/obidos/ASIN/1878109405/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1878109405/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109405/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   314 p.
%T   "World War 3: Information Warfare Basics"

Chapter one asserts that world war 3 is not what most people think it
is or will be, and that it is going on right now.  (There is also a
fairly extensive biography of Dr. Cohen.)  A definition of information
warfare (or iwar) is the province of chapter two.  Cohen starts with
the notion that warfare itself is a high-intensity conflict, and then
notes that iwar is the manipulation (and protection) of symbolic
representations used by the participants in such a conflict.  Numerous
instances and examples of iwar are explored, and the definition
certainly fits all the forms noted.  At the same time, it must be said
that the definition, while comprehensive, does not appear to assist in
formulating responses to the problem.  (The mention of marketing as a
form of low-intensity iwar is intriguing.  I recall a conversation,
with an ex-employee of the CIA, as it happens.  This person had just
encountered the proposal that advertising agencies deliberately used,
and reinforced, certain symbols that were associated with specific
meanings and emotions.  Being part of the direct target audience he
had never noticed the practice while I, as an outsider, was just far
enough away from the central culture to have observed it for years.)
Cohen finally points out that we are all at war, on an information
level, with everyone else.

Chapter three examines the intensity levels of iwar.  The information
warfare capabilities of numerous nations, and relative comparisons
between various groups, are analyzed in chapter four.  Cohen also
makes a case for China overtaking the United States as a world leader
in this regard.  (This seems to have the strongest relationship to the
subtitular admonition that "we are losing" the world war 3 that we
didn't even know was being fought.  However, if so, it seems in some
contradiction to statements, in chapters two and three, that "we" are
all fighting each other, or that "we" are all in this together.)
Criminal activity is reviewed in chapter five, but the material is
relatively weak in regard to iwar.  The relationship between preaching
(especially the dogmatic and extreme forms) and propaganda is clear,
so chapter seven's association between religion and iwar is not
surprising, but the text does not support the contention in any
detailed way.  Corporate public relations and business intelligence is
discussed in chapter seven.  (Of particular interest are the sections
on companies against nations and religions.)

Chapter eight analyzes propaganda, not only in terms of the component
parts, but also in regard to effective countermeasures.  Politics, and
the various forms of iwar inherent in it, are in chapter nine.  Gaming
and game theory have been used in warfare and politics for years, and
are examined in chapter ten.  Chapter eleven looks at electronic
warfare, in many of its forms.  Information attack tactics, in chapter
twelve, repeats procedures that are well known to those dealing with
intrusions and penetration testing.  Legal issues associated with iwar
are outlined in chapter thirteen.  Chapter fourteen deals with broad
categories of defences that can be mounted against iwar activities.
Education is one, and chapter fifteen examines various forms of
education that are necessary for effective protection.  Finally, in
chapter sixteen, Cohen returns to the concept that all of us need to
know about information warfare, and to be on guard against it.

Ultimately, this book is not about World War Three, but about the
information warfare, at all levels, taking place around us every day.
While more personal and not as academic as Denning's "Information
Warfare and Security" (cf. BKINWRSC.RVW), Cohen's work is, in its own
way, just as important, since it addresses the types of propaganda to
which almost everyone is subject, likely without being aware of it.

copyright Robert M. Slade, 2006   BKWW3IWB.RVW   20060823


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                  Find out what the button is for before you push it.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKAPSWPM.RVW   20060827

"Applied Software Project Management", Andrew Stellman/Jennifer
Greene, 2006, 0-596-00948-8, U$39.95/C$55.95
%A   Andrew Stellman www.stellman-greene.com
%A   Jennifer Greene www.stellman-greene.com
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00948-8
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$55.95 800-998-9938 fax: 707-829-0104 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596009488/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596009488/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596009488/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   308 p.
%T   "Applied Software Project Management"

Chapter one is an introduction to both the book and the topic, with a
good list of fundamental principles.

Part one concentrates on tools and techniques.  Chapter two delves
into software project planning, going over standard documents and
agreements in the process, and reviewing the common causes of
difficulties.  Estimation is often considered either a black art or
total fiction, and chapter three notes techniques that can be used to
increase accuracy.  There are also details of the Wideband Delphi
method of consensus and appraisal.  Chapter four provides practical
advice on building a schedule, as well as noting what can go wrong.
Components of different types of reviews are given in chapter five.
Software requirements are vital, and chapter six outlines the use case
and SRS (Software Requirements Specification) tools, as well as
looking into change control and how best to implement software
requirements practices.  Although chapter seven is entitled "Design
and Programming," it really talks about version control utilities,
refactoring, unit testing, and build control.  (While these are
important, and infrequently dealt with, they don't make up the whole
topic area.)  A number of the most important factors in software
testing; including test plans, execution, environment, followup,
automation, and effective use of testing; are in chapter eight.

Part two is about using project management effectively.  Chapter nine
looks at understanding change, and notes various reasons for
resistance to change, but also provides useful ways to deal with the
problem.  Like chapter one, chapter ten's review of management and
leadership lists foundational principles as well as what to do, and
what not to do.  Managing outsourced projects, in chapter eleven,
gives good advice, but much of it takes back work that companies
wanted to outsource in the first place.  Various views, thoughts,
processes, and standards to do with process improvement are in chapter
twelve.

Little of the material in this book is new, but it is a useful and
handy reminder, compiled in a single volume.  Stellman and Greene have
provided a guide for the newcomer to software project management, and
a reference for experienced managers who are willing to think that
they might be able to improve the way they are doing things.

copyright Robert M. Slade, 2006   BKAPSWPM.RVW   20060827


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I used to know the answer, but I've forgotten.
                           - Hillel the Elder, Jerusalem Talmud, 1911
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKMAKERS.RVW   20060827

"Makers", Bob Parks, 2006, 0-596-10188-0, U$24.95/C$34.95
%A   Bob Parks
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-10188-0
%I   O'Reilly & Associates, Inc.
%O   U$24.95/C$34.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596101880/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596101880/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596101880/robsladesin03-20
%O   Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation)
%P   183 p.
%T   "Makers: All Kinds of People Making Amazing Things ..."

Based on a popular column in MAKE magazine, this book concentrates
more on the people who make things, than the things themselves.  For
those not familiar with MAKE, it is concerned with hobbyist projects,
preferably electronic, preferably based on junk and scrap.  Best of
all, the magazine loves oddball projects.

Ninety-one of the best of these off-the-wall inventors are featured
here.  From people who build almost full-scale submarines, to
automated cocktail dispensers, to necktie tying machines, to a paper
steam engine, to a pedal powered canoe. Lots of robots are included.

OK, it's fun.  Is it important?  Yes, possibly it is.  Creativity is
always needed, and any exploration of what inspires it can be useful.
(And the gadgets themselves might be inspiring, as well.)

copyright Robert M. Slade, 2006   BKMAKERS.RVW   20060827


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                That thought got run over as it was crossing my mind.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKDSITMT.RVW   20060827

"Does IT Matter", Nicholas G. Carr, 2004, 1-59139-444-9,
U$26.95/C$40.95
%A   Nicholas G. Carr
%C   60 Harvard Way, Boston MA   02163
%D   2004
%G   1-59139-444-9
%I   Harvard Business School Press
%O   U$26.95/C$40.95 800-545-7685 http://www.hbsp.harvard.edu
%O  http://www.amazon.com/exec/obidos/ASIN/1591394449/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1591394449/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1591394449/robsladesin03-20
%O   Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   191 p.
%T   "Does IT Matter"

In the preface, Carr states that it is impossible to predict or
explain successes or failures of the implementation of IT projects,
and that business is investing in IT without a clear understanding of
the strategic or financial impacts of IT.  (Which would make it
somewhat difficult to do cost/benefit assessments during risk
analysis.)  He also states the IT is no longer strategic but a
commodity: a necessity, but not a benefit.  Chapter one repeats this
latter idea.  (Since Carr's own definition of IT includes both
hardware and software, it is odd that this assessment seems to be
based solely on hardware and off-the shelf software.)  The concept of
movement from strategic to infrastructure technology is reviewed, in
historical terms, with examinations of the nineteenth century rise of
the railroads and electricity, in chapter two.  Carr details his
argument in chapter three, addressing the different types of software.
Chapter four is a historical review of IT business successes, but does
little to advance the argument.  Chapter five almost seems to be
making the case that nothing gives a business advantage any more.  The
failure to control IT spending is examined in chapter six, along with
system disasters.  Finally, in chapter seven, we are told that
expectations that computers would run everything for us are
unrealistic.

I'm sorry, but I don't know what all the fuss was about.  Carr was
probably right: it always has been extremely difficult to make a
business case for information technology.  His book, however, does not
provide us with any helpful suggestions.

copyright Robert M. Slade, 2006   BKDSITMT.RVW   20060827


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
It is also true that the higher up the [security] scale someone
wishes to appear, the higher the incidence of his or her use of
words of Norman French and Latin origin.  We use terms like
`prevent.'  What's wrong with `stop'?  It's shorter and just as
good.                                             - Angus McIlwraith
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKTMFRSA.RVW   20060828

"Time Management for System Administrators", Thomas A. Limoncelli,
2006, 0-596-00783-3, U$24.95/C$34.95
%A   Thomas A. Limoncelli
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00783-3
%I   O'Reilly & Associates, Inc.
%O   U$24.95/C$34.95 800-998-9938 fax: 707-829-0104 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596007833/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596007833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596007833/robsladesin03-20
%O   Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   200 p.
%T   "Time Management for System Administrators"

In the preface, Limoncelli states that he wrote this book because
standard time management texts are not sufficient: system
administrators (SAs) are different, and need their own advice for
their own situation.

Chapter one starts out with a useful technique for dealing with
interruptions, just so that you can spend some time reading the book.
It then proceeds with a list of time management principles couched in
technical language so that system administrators will feel more
comfortable with the concepts.  Managing interruptions is the focus of
chapter two, with a number of useful tips.  Making certain functions
routine, and therefore saving time on decisions, is reviewed in
chapter three.

Chapters four through seven detail a time management process which
incorporates to-do lists, schedules, calendars, and long-term goals.

Chapter eight looks at standards for setting priorities.  Stress
management, and various ways to handle it, are covered in chapter
nine.  Chapter ten deals with something we can all use: ways to manage
email effectively.  Identification of common time-wasting activities,
and the elimination thereof, is the topic of chapter eleven.  There
are many situations where much time is wasted doing research because
documentation is not available, so chapter twelve's examination of the
different types and forms of documentation is a worthy one.  The why,
when, and how of automation is discussed in chapter thirteen.

Time management is important, and Limoncelli has provided a number of
useful tips in the book.  (Time spent reading it is definitely an
investment that will provide returns for those who find themselves
constantly swamped.)  On the other hand, aside from the specific areas
where he uses technical examples, I'm not sure why the author is so
certain that regular time management books can't help: the advice
given here is found in many other places as well.

copyright Robert M. Slade, 2006   BKTMFRSA.RVW   20060828


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Consultants have credibility because they aren't dumb enough to
work at your company.                                  - Scott Adams
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSSHLDG.RVW   20060910

"SSH The Secure Shell", Daniel J. Barrett/Richard E. Silverman, 2001,
0-596-00011-1, U$39.95/C$58.95
%A   Daniel J. Barrett dbarrett@...
%A   Richard E. Silverman res@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2001
%G   0-596-00011-1
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$58.95 800-998-9938 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596000111/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596000111/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596000111/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   540 p.
%S   Definitive Guide
%T   "SSH The Secure Shell: The Definitive Guide"

The preface states that the book is intended for system administrators
(who may be called upon to support SSH, or use it within their
networks), users (who may wish to use SSH out of concern for their own
privacy or the security of their transactions), and developers (who
may be able to use SSH in order to provide robust and reliable
security to their own applications at little development cost).  The
authors also note that there may be confusion between the protocol
(denoted SSH), various products, and individual utilities and programs
(indicated by lowercase: ssh).

Chapter one outlines what SSH is, and isn't, the basic services it
provides (authentication, encryption, and integrity protection), and
also notes other protocols and products that provide similar services.
Basic operation of the most common clients (ssh and scp) is covered in
chapter two, along with a terse but reasonable introduction to
asymmetric key pairs.  The internals of SSH, and a more extended
discussion of cryptographic concepts, such as symmetric encryption,
asymmetric, and hashing, are examined in chapter three.  (The section
concludes with a useful list of threats against which SSH provides
little or no protection.)  Extensive installation and configuration
options are given in chapter four, with server configuration choices
in five.

Chapter six seems to move the subject to operational issues,
addressing key management, and particularly SSH agent use of keys.
Advanced topics governing client use are provided in chapter seven.
Chapter eight outlines alternative settings for the use of SSH with
user accounts.

Chapter nine discusses forwarding, which can be used in both network
administration (providing a secure tunnel within an unsecured
environment) or development (adding encryption or integrity
functionality to an application).  While previous material gave
details of configuration options, chapter ten furnishes the
beleaguered sysadmin with a recommended initial configuration.
Chapter eleven details options and setups for a variety of
applications and situations.  Troubleshooting guidance, and a list of
common problems, is supplied in chapter twelve.

Chapter thirteen equips the reader with tables of settings and
features pertinent to the various implementations of SSH.  Since SSH
is often seen as limited to the UNIX world, details of the Okhapkin
SSH1 Windows port are given in chapter fourteen, with SecureCRT in
fifteen, F-Secure SSH (for Windows and Mac) in sixteen, and
NiftyTelnet (Mac) in seventeen.

Too many of the mature and useful security technologies languish in
obscurity.  Everybody knows that SSH exists, but too few people use
it.  Hopefully this reference might give more developers and users a
chance to try it out, and administrators some resources to support it.

copyright Robert M. Slade, 2006   BKSSHLDG.RVW   20060910


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
If the rich could hire someone to die for them, the poor could
make a very nice living.                            - Jewish Proverb
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKHACKDM.RVW   20060910

"Hacking for Dummies", Kevin Beaver, 2004, 0-7645-5784-X,
U$24.99/C$35.99/UK#16.99
%A   Kevin Beaver kbeaver@...
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2004
%G   0-7645-5784-X
%I   John Wiley & Sons, Inc.
%O   U$24.99/C$35.99/UK#16.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/076455784X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/076455784X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/076455784X/robsladesin03-20
%O   Audience i- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   358 p.
%T   "Hacking for Dummies"

Why, yes, now that you mention it, I believe that I *did* use this
title in an April Fools joke back in 2002 (cf. BKHAKDUM.RVW).  Turns
out the joke's on me: this time they're serious.

Actually, the introduction points out that the book is about "ethical"
hacking (otherwise known as penetration testing), and is intended for
system administrators, information security managers, and security
consultants who want some tips on security assessment.  So it isn't
exactly a "hack to secure" book, but I can't be expected to be happy
about the title.

Part one is supposed to give you a foundation for ethical hacking.
Chapter one, an introduction, sets out the usual "set a thief to catch
a thief" argument, lists some attack types, and recommends that
readers be ethical.  The usual "hacker mindset" stereotypes are in
chapter two.  Chapter three has a terse but reasonable list of
questions that may assist you in planning for a penetration test.
Some initial sources of information that attackers will use to direct
their assaults are given in chapter four.

Part two purports to get you started on the attack itself.  Chapter
five has a basic but haphazard discussion of social engineering.
Physical security is important, but the material in chapter six is
incomplete, and concentrates more on attacks than countermeasures.
Random trivia about passwords is in chapter seven.

Part three turns to networks.  Chapter eight looks at wardialling.  (I
agree that the practice should not be ignored, if only to find
neglected modems, but the content is still obsolete.)  A list of
vulnerability scanning tools makes up chapter nine.  Wireless hacking,
in chapter ten, has a catalogue of tools, but also suggests useful
countermeasures.

Part four looks at hacking the operating system.  Chapter eleven
repeats the inventory of Windows tools, twelve repeats the Linux
utilities, and thirteen has different tools--because they are
especially for Novell Netware.

Part five moves to application hacks.  Poor information about malware,
and weak suggestions about testing, are in chapter fourteen.  Attacks
against email and instant messaging, in chapter fifteen, are random,
esoteric, and unrealistic.  The content about attacks directed against
web applications, in chapter sixteen, is disorganized and poorly
explained.

Part six deals with the outcomes and results of an ethical hack.
Chapter seventeen provides a terse list of contents for penetration
test reports.  Rectifying security problems is minimally covered in
chapter eighteen.  Ongoing security assessment and awareness programs
are suggested in nineteen.

Part seven is the part of tens, comprising ten tips for getting
management "buy in" (for the idea of "ethical hacking") and ten
mistakes (in conducting a penetration test).

This book may be helpful as a source for suggesting vulnerability
scanning tools, but not much else.

copyright Robert M. Slade, 2006   BKHACKDM.RVW   20060910


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
90% of all infections are Stoned.
                              - the viral corollary to Sturgeon's Law
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKWRSCCD.RVW   20060910

"Writing Secure Code", Michael Howard/David LeBlanc, 2002,
0-7356-1588-8, U$39.99/C$57.99
%A   Michael Howard
%A   David LeBlanc
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2002
%G   0-7356-1588-8
%I   Microsoft Press
%O   U$39.99/C$57.99 800-MSPRESS fax: 206-936-7329
%O  http://www.amazon.com/exec/obidos/ASIN/0735615888/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0735615888/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735615888/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   477 p. + CD-ROM
%T   "Writing Secure Code"

The introduction states that the purpose of the book is to teach
application designers (and particularly .NET developers) to design,
write, and test application code in a secure manner.

Part one addresses the contemporary security situation.  Chapter one
reviews the need for secure systems.  The text is so supplemented by
notes, comments, text boxes, and sidebars that it becomes difficult to
follow at times.  However, ultimately it does have a lot of
interesting material that would be useful for those who have to make a
case for secure coding practices and processes.  Designing secure
systems, in chapter two, provides a solid list of secure strategy
principles along with details and discussion of them, although much of
this deliberation is restricted to "war stories" which are interesting
but not always useful.  The content makes the point that the mere
addition of security technologies does not always make for secure
applications, which point is not supported by the inclusion, in the
latter part of the material, of a huge list of security technologies.

Part two turns to secure coding techniques.  Chapter three details
that old standard and nemesis, the buffer overflow.  Unfortunately,
most of what is provided is limited to code demonstrating that various
types of buffer overflows exist, and some contentions in regard to
specific C language instructions that should not be used.  Code for
access control list use on Windows NT4 and 2000 is reviewed in chapter
four.  Code, but not design, for running with least privilege occupies
chapter five.  Chapter six is again concerned primarily with source
code for cryptographic operations, although limited to pseudorandom
number generation (paying insufficient attention to seed values), key
management, and miscellaneous topics.  Further functions involved with
encrypting confidential information are in chapter seven.  Chapter
eight turns to canonical representation, although the discussion is
narrowly confined to filenames and issues of traversal.

Part three concentrates on network-based application considerations
even though network connectivity and access has been given as the
reason to pay attention to secure coding in the first place.  Chapter
nine looks at the possibility of port hijacking, and the design of
applications in order to work cooperatively with firewalls.  Securing
the use of RPC (Remote Procedure Calls), ActiveX, and DCOM
(Distributed Common Object Model) is covered well in chapter ten, with
concepts as well as code and good explanations (although I know for a
fact that accessing dcomcnfg on XP is *not* as easy as the authors
want to make out).  Chapter eleven lists some denial of service (DoS)
attacks and generally suggests limiting the resources available to
applications.  Most of the advice on securing Web-based services, in
chapter twelve, boils down to advice not to trust the client, and
various examples of malformed input are described.

Part four contains special topics.  Chapter thirteen details .NET
functions and operations related to security, but also provides
valuable guidance in regard to appropriate (and inappropriate) use.
Testing of secure applications gets a review of standard procedures,
in chapter fourteen, but the material does not provide an abstract
overview of assessment concepts that could be used to find all
possibilities of weakness.  Installation procedures, in chapter
fifteen, could have been useful, but is probably the most Windows
specific and least practical section of the entire work.  Chapter
sixteen is a bit of a grab bag, but contains worthwhile tips and
principles to follow (mostly in order to avoid common security
pitfalls).

Appendices are usually extraneous material, sometimes added merely to
pad out the page count of a book.  However, the essays included at the
end of this volume could be quite helpful.  There are the ten
immutable laws of security and the ten immutable laws of security
administration, which have become famous in their own right, and have
spread through the Internet, as well as a list of dumb excuses given
for not doing security properly.

Overall, the book contains much that can be of use for those who wish
to develop code that is secure and resistant against bugs and flaws
that may open the application to attack.  However, there is also a
good deal that is irrelevant and not helpful, and a number of issues
that could have useful have not been included (such as development
methodologies, design strategies, and testing issues).

copyright Robert M. Slade, 2006   BKWRSCCD.RVW   20060910


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Microsoft gambled that making their users fault-tolerant was a
better use of resources than making their software reliable.
                                                       - Paul Guertin
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKDBHKHB.RVW   20060913

"The Database Hacker's Handbook", David Litchfield/Chris Anley/John
Heasman/Bill Grindlay, 2005, 0-7645-7801-4, U$50.00/C$64.99/UK#31.99
%A   David Litchfield
%A   Chris Anley
%A   John Heasman
%A   Bill Grindlay
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2005
%G   0-7645-7801-4
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764578014/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764578014/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764578014/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   500 p.
%T   "The Database Hacker's Handbook: Defending Database Servers"

In the brief and disjointed preface and, similarly, introduction (two
pieces which could easily have been combined), we are told that the
book is intended for database administrators, network administrators,
security auditors, and security professionals.  However, there are
implications, right from the start, that this is a "hack to secure"
book and that, instead of real database security, we are going to be
dealing only with server engine bugs.

Part one is an introduction.  Chapter one is supposed to tell us why
we should care about database security, but instead still seems to be
dancing around the issue of bugs in engine code, and particularly the
bugs that the authors (and their relatives) have found.

Part two is about Oracle.  Chapter two tells us something of the
oracle architecture, obfuscated by packet dumps and pages of code for
programs to attack parts of the system.  More of the same is in
chapter three, and, from the examples, it is not always clear how some
of these "attacks" differ from the simple ability of authorized users
to make changes to the system.  Possible operating system and network
attacks related to Oracle's command system are outlined in chapter
four.  Chapter five recommends various configurations and options for
making an Oracle database server more secure.

Part three looks at DB2.  Chapter six is an introduction to the
product (and pages of code for an authentication request).  Then there
are more pages of programming for finding a DB2 server (chapter seven)
and attacking it (eight).  Chapter nine is a terse mention of some
factors to consider when securing the system.

Part four reviews Informix, with architecture (ten), attack code
(eleven), and configuration for security (twelve).

Sybase gets the same treatment in part five.  This time the code (in
chapter fourteen) just gets the version number and chapter fifteen
looks at commands that can be passed to the network.

The popular MySQL is dealt with in part six.  Since the product is
open source, the examination of the architecture, in chapter
seventeen, is more detailed and the advice on configuration, in
chapter twenty, is equally extensive.

Part seven chooses SQL Server as its topic.  Architecture, attack,
hardening: no surprises.

Part eight turns to PostgresSQL.  Same.

OK, we get it.  Unpatched applications have holes.  Big surprise.  The
authors have provided very little that will be of use to database
administrators, network administrators, security auditors, and
security professionals.

copyright Robert M. Slade, 2006   BKDBHKHB.RVW   20060913


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
         Microsoft is not the ANSWER.  Microsoft is the QUESTION,
                         and the ANSWER is NO!
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKPHSEXP.RVW   20060913

"Phishing Exposed", Lance James, 2005, 1-59749-030-X, U$49.95/C$69.95
%A   Lance James est@...
%C   800 Hingham Street, Rockland, MA   02370
%D   2005
%G   1-59749-030-X
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/159749030X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/159749030X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/159749030X/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   395 p.
%T   "Phishing Exposed: Uncover Secrets from the Dark Side"

Most of chapter one is a definition for spam, with minor mentions of
phishing.  Different types of phishing messages and Websites are
listed in chapter two, with a lot of HTML code and screenshots.
Chapter three looks at email structures, email headers, and
indications of spam messages.  The basic operation of the Web starts
out chapter four, which also presents more HTML phishing code and
screenshots.  This is extended with malicious HTML code snippets and
lots more screenshots in chapter five.  Chapter six talk about money
movement and laundering (as well as having code for botnets, for some
reason).  A grab bag of random information finishes out the book in
chapter seven.

Phishing is when a Website or email message fools you into giving away
your personal information so the bad guys can use it and steal your
money.  Beyond that, the book doesn't tell you much of any use.

copyright Robert M. Slade, 2006   BKPHSEXP.RVW   20060913


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                 On the other hand, you have different fingers.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKPRWAWA.RVW   20060913

"Preventing Web Attacks with Apache", Ryan C. Barnett, 2006,
0-321-32128-6, U$49.99/C$66.99
%A   Ryan C. Barnett
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-32128-6
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$66.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/0321321286/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321321286/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321321286/robsladesin03-20
%O   Audience a- Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   582 p.
%T   "Preventing Web Attacks with Apache"

Chapter one notes that there have been many attacks against Web
servers and the applications running on them.  It also lists the
common excuses presented for a lack of security preparation (and
assesses the weakness of those arguments).  Hardening of the (UNIX)
operating system, and network operating system, in order to establish
a trusted computing base for the Web server application, are dealt
with in chapter two.  Initial installation of the Apache software is
covered in chapter three.  Chapter four reviews the configuration
file, and properly secure settings and options.  Security related
modules in the Apache suite are discussed in chapter five.  Chapter
six reviews the Center for Internet Security Apache security benchmark
tool.  The Web Application Security Consortium (WASC) threat
classification system is described, in chapter seven, with specific
reference to Apache countermeasures against these attacks.  (The
material provides nice explanations and examples of a variety of
exploits.)  Buggy Bank, an intentionally flawed e-commerce application
that provides practice in hardening a Web server, is outlined in
chapter eight.  Chapter nine looks at various countermeasures and
controls that can be applied to Web servers and sites, noting
strengths and weaknesses, and also noting which work most effectively,
as well as which can be implemented via Apache functions.  If you'd
like to do primary research and gather information on attacks and the
level of threat to Web servers, chapter ten details the settings and
requirements for using Apache to set up a honeypot server.  Chapter
eleven finishes off with basic advice on issues such as patch
management, and also broadens the discussion to some fundamental
concerns in Internet security measures.

A helpful guide for those using Apache.

copyright Robert M. Slade, 2006   BKPRWAWA.RVW   20060913


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Gourmet coffee shops -- just what we need ... a place where
people who talk too much anyway can go for caffeine.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKNFJS6A.RVW   20060915

"No Fluff Just Stuff 2006 Anthology", Neal Ford, 2006, 0-9776166-6-5,
U$29.95/C$38.95
%E   Neal Ford
%C   Dallas, TX
%D   2006
%G   0-9776166-6-5
%I   Pragmatic Bookshelf
%O   U$29.95/C$38.95 800-699-PROG
%O  http://www.amazon.com/exec/obidos/ASIN/0977616665/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0977616665/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0977616665/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   240 p.
%T   "No Fluff Just Stuff 2006 Anthology"

"No Stuff Just Fluff" is a seminar/conference series: to judge from
the contents of the book, the seminars are limited to Web development.
One feature of the conferences is a dinner for the speakers who are
asked to present, away from the attendees.  In such circumstances you
could expect inside jokes, opaque jargon, and cryptic references that
are generally deliberately designed to keep outsiders in the dark.

The editor explains this, and notes that this book, a collection of
papers from speakers at the seminars, might be likened to one of these
dinners.  He may be right.  A number of the essays seem to be using
terminology all their own.

At the same time, while the majority of the articles present a
favourite tool or two, some appear to be rediscovering practices that
other fields of development have known for some time.  Versioning,
content management, configuration control, build control, and
dependency analysis are all described.  (Then there are a couple of
papers that might be interesting for a larger audience: one outlining
some of the "agile" development methods, and another that promotes CSS
[Cascading Style Sheets], even though it doesn't do a particularly
good job of explaining the topic.)

It is, therefore, intriguing to find that the last item in the work
states just that: Web developers are starting to discover what other
programmers have known for years.

At the same time, there is one aspect of the text that I find
incredibly depressing.  While software safety and security is starting
to become an issue for both general systems developers and security
professionals (and especially in regard to Web development), these
guys seem to be actively advocating practices that are known to be
incredibly dangerous, such as relying on the client for validation and
authentication.

Hopefully it won't be too long before they catch up on that one.

copyright Robert M. Slade, 2006   BKNFJS6A.RVW   20060915


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Charm is a way of getting the answer yes without having asked any
clear question.                                       - Albert Camus
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSCRAHB.RVW   20060919

"The Security Risk Assessment Handbook", Douglas J. Landoll, 2006,
0-8493-2998-1
%A   Douglas J. Landoll
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2006
%G   0-8493-2998-1
%I   Auerbach Publications
%O   +1-800-950-1216 auerbach@... orders@...
%O  http://www.amazon.com/exec/obidos/ASIN/0849329981/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0849329981/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0849329981/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   473 p.
%T   "The Security Risk Assessment Handbook"

Chapter one is an introduction.  Landoll's text is initially rather
preachy and biased.  The first couple of sections appear to take the
position that industry has failed in its responsibility to secure
information systems, and therefore (the United States federal)
government has had to take charge.  He then lists (although does not
describe in any detail) various security frameworks and guidelines,
and argues that, simply on the basis of a lack of congruence between
these documents, "best practices" are a myth.  His conclusion, that
risk-based security planning is better, seems oddly gleeful in the
context of such an otherwise dour piece of writing.

Unfortunately, the author does not seem to do any better with risk-
based security planning, right off the top.  We are told (on page
four) that "the establishment of an information security program is
not the topic of this book.  The topic of this book is how to perform
and review an information security program," which statement(s) must
surely rank highly in terms of self-contradiction and confusion.

Were the reader to quit after this inauspicious, muddled, and verbose
beginning, however, it would be to miss a work of some value.  Within
pages, Landoll clarifies the rationale for, and types of, risk
assessment, as well as explaining the purpose of this volume in light
of other existing assessment tools and documents.  (To his credit,
where other authors tend to denigrate alternative references, Landoll
notes their respective strengths, and then states the extension that
his book provides.)

It is frustrating to attempt a single assessment of the book.  The
text has value, but also annoyances.  Chapter two provides a useful
guide to the basic components of the risk assessment process (which
forms the structure for much of the rest of the book).  At the same
time, where Landoll has been using the business-oriented breakdown of
control types (into administrative, technical, and physical), when
discussing safeguards he suddenly switches to the categories of
preventive, detective, corrective, et cetera, that are more familiar
to those in the government and military.  (Interestingly, for someone
from a strongly governmental background, Landoll does not fill out the
list with recovery, compensating, deterrent, and directive.)  In
addition, when reviewing the concept of residual risk, two new terms
of "static" and "dynamic" risk are introduced.  Although the terms are
poorly defined, "static" seems simply to refer to residual risk, while
"dynamic" appears to mean nothing more than risk itself.  Therefore,
these two new entries provide no distinct value to the discourse, and
only serve to confuse the issues.

Again, chapter three covers the vital topic of the definition of
objectives and scope of a risk assessment project.  When discussing
the "customer" for a review, "Risk Assessment Method" and "Objective
Review" seem to be presented as potential clients.  While the question
of quality of work would certainly appear to be a legitimate concern
in dealing with project extent, Landoll includes a great deal of
material relevant only to the final report, such as grammatical
correctness and visually pleasing presentation.  On the other hand,
there is a good deal of very practical content addressing issues of
realistic scope and reasonable budgeting.  The preparation phase is
covered in chapter four, dealing both with practical issues such as
letters of introduction, more esoteric concerns of system and asset
criticality, and also reviewing a number of methodologies and
approaches to risk assessment (although primarily at a conceptual
level).

Chapter five starts a string of chapters on various types of data
collection.  It leads off with general discussions on the topic,
examining questions of sampling and related issues.  (Landoll is not
always careful about explaining terms before starting to use them:
neither the index nor any part of the text notes that the RIIOT
method, which is used extensively in the chapter, is merely an acronym
for the phases of review, interview, inspect, observe, and test.)  The
gathering of data on administrative safeguards, in chapter six, has
good checklists of items to assess, and uses the RIIOT format to
structure the areas and phases of the elements to consider.  (There is
a rather odd reluctance to discuss policy, and an even stranger
overemphasis on two-man controls.)  Moving into technical
countermeasures, chapter seven starts off with a section on attacks
and controls.  There are very odd errors in the text: the distinction
between SPAM (the Hormel food product) and spam (bulk unsolicited
commercial or fraudulent messages) may be subtle but every security
specialist should know it and yet Landoll uses SPAM throughout.  The
section on antivirus protection is weak, cross-references are spotty,
and Landoll uses an old (and generally abandoned) type of firewall
(session-level, which is an amalgamation of stateful and circuit-level
proxy).  Intriguingly, authentication is not addressed with technical
controls, but (rather weakly) with physical protection, in chapter
eight.  Most of the discussion of physical security outlines
particular safeguards, and there is little deliberation on risk
assessment or the factors that can influence it.  (For example,
various power supply alternatives are discussed, including the rather
esoteric flywheel generator, but the idea of requesting information
from the utility on past power outages doesn't seem to have occurred
to the author.)

Chapter nine does turn to security risk analysis, briefly, but with
some helpful pointers for the evaluation process.  Risk mitigation, in
chapter ten, looks rather tersely at choice of controls, and does an
oddly complicated review of cost/benefit analysis.  Styles for
different types of reports resulting from risk assessment are outlined
in chapter eleven.  Chapter twelve presents a fairly standard look at
project management (with extra emphasis on reporting).  Chapter
thirteen lists, but does not adequately describe, various risk
assessment methodologies.

Despite the weaknesses, oddities, and gaps in the book, it does
provide a decent overall guide, and some very useful practical
suggestions.  It is not quite complete in all areas, and therefore
likely unsuitable as the sole source of advice on the risk assessment
process for the novice, although the newcomer would not go far wrong
in following the counsel of this work.  The experienced security or
risk assessment professional will still find valuable recommendations
and advice.  For anyone in the security or risk analysis field, the
book is well worth considering.

copyright Robert M. Slade, 2006   BKSCRAHB.RVW   20060919


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Bodily exercise, when compulsory, does no harm to the body; but
knowledge which is acquired under compulsion obtains no hold on
the mind.                                      - Plato, The Republic
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKIRSGHS.RVW   20060906

"Incident Response", E. Eugene Schultz/Russell Shumway, 2002,
1-57870-256-9, U$39.99/C$59.95/UK#30.99
%A   E. Eugene Schultz
%A   Russell Shumway
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   1-57870-256-9
%I   Macmillan Computer Publishing (MCP)/New Riders
%O   U$39.99/C$59.95/UK#30.99 800-858-7674 317-581-3743 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1578702569/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1578702569/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1578702569/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   384 p.
%T   "Incident Response: A Strategic Guide to Handling System and
       Network Security Breaches"

Beyond saying that security breaches occur, and that we need to
respond to them, the introduction doesn't tell us much about either
the topic or the book.

Chapter one contains a good deal of material with which security
professionals will agree, but it does not provide helpful guidance.
The attempt to define "incidents" is not wrong in any particular, but
is tautological and of limited utility.  "Risk Analysis," in chapter
two, briefly repeats the usual procedures, but expends most of its
text in details of specific (mostly network) system attacks.  A
suggested methodology for incident response is provided in chapter
three, along with a justification for the use of a formal process.
(Many may find it ironic that much of the rationale for formal methods
has to do with expecting the unexpected.)  (The process is given in
the acronym PDCERF; which stands for preparation, detection,
containment, eradication, recovery, and followup; but the text, rather
unsettlingly, presents a number of variations on the acronym
throughout the chapter.)  Chapter four deals with forming and managing
an incident response team, and the content is mostly concerned with
communications, corporate culture, and management.  This material is
extended in chapter five, which covers other factors involved with
organizing for incident response.

Chapter six turns to a slightly more technical topic, regarding the
tracing of network attacks.  This is an overview, with only limited
technical content, but even so a few items are suspect (such as the
implication that MAC [Media Access Control] addresses are permanent
and fixed).  Legal issues related to incident response are reviewed in
chapter seven.  Chapters eight and nine provide an overview of
computer forensics, as well as good advice on the handling and
management of evidence, but at a conceptual, rather than technical,
level.  Insider attacks are difficult to determine and protect
against, and chapter ten tacitly admits this by spending a lot of time
just telling stories.  Chapter eleven (written by an outside author)
examines criminal profiling and other incident response factors
related to social sciences.  Honeypots and other types of deception
aimed at the attacker are the subject of chapter twelve.  Chapter
thirteen finishes off with a look at emerging tools and directions.

While still flawed, this work is probably more practical than Mandia
and Procise's law enforcement oriented volume (cf. BKINCDRS.RVW), van
Wyk and Forna's somewhat less detailed work (cf. BKINCRES.RVW), or
Schweitzer's basic and wordy tome (cf. BKINCRSP.RVW) (all, of course,
are entitled "Incident Response").

copyright Robert M. Slade, 2006   BKIRSGHS.RVW   20060906


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
  ...death coming at the hands of your own creation.  That's part
the human epic tradition, after all. Oedipus and his father,
Baron Frankenstein and his monster, William Henry Gates
and Windows '09.
                        - David Brin, `Kiln People', Chap. 41, p. 396
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKITGVRN.RVW   20061007

"IT Governance", Alan Calder/Steve Watkins, 2005, 0-7494-4394-4,
U$84.57/C$93.89
%A   Alan Calder
%A   Steve Watkins
%C   120 Pentonville Rd, London, UK, N1 9JN
%D   2005
%G   0-7494-4394-4
%I   Kogan Page Ltd.
%O   U$84.57/C$93.89 +44-020-7278-0433 kpinfo@...
%O  http://www.amazon.com/exec/obidos/ASIN/0749443944/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0749443944/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0749443944/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   368 p.
%T   "IT Governance: A Managers Guide to Data Security and BS 7799/
       ISO 17799"

The introduction states that this book is intended for business
managers, board members, and other senior executives, rather than IT
specialists.

Chapter one, preaching about the rationale behind information
security, reiterates the material given in the introduction.
Management and reporting regulations for the UK (the Combined Code)
and the US (Sarbanes-Oxley) are discussed in chapter two.  Chapter
three is supposed to outline and explain the BS (British Standard)
7799, and while it does recommend designing your own information
security management system, much space is devoted to promoting sales
of the BS 7799 standard through the authors' Websites.  More vague
encouragement to produce a security management system is given in
chapter four.

Chapter five contains a limited and generic deliberation on high-level
security policies.  Similarly terse overviews are given in subsequent
chapters for risk (six), assets (eight), human resources (nine,
concentrating on hiring), and physical security (in ten, and, for some
reason, addressed specifically at equipment in eleven).  Chapter seven
seems oddly out of place in this series, looking at access
requirements for partners, contractors, clients, and other outsiders.

There are a number of odd inclusions in the work that seem
misclassified.  Chapter twelve titularly combines the two issues of
communications and operations security (in reality only talking about
operations).  Malware and backups are examined (tersely, erroneously,
and insufficiently) in thirteen while fourteen looks at networks and
media.  An undefined topic of "information exchange" makes for a
confusing chapter fifteen, with a grab bag of trivia about e-commerce
filling out sixteen.  An odd acceptable use policy for email and Web
use is in chapter seventeen.

An incomplete list of procedures for issuing and reviewing access is
in chapter eighteen.  Chapter nineteen has very spotty coverage of
network access controls, implying that encryption is always present in
a virtual private network (VPN: it isn't, VPNs are defined more by
management than confidentiality), there is no discussion of the
different types of firewalls, and intrusion detection is limited to
those with network-based sensors.  Access to the operating system is
reviewed in chapter twenty, and applications in twenty-one (with an
odd inclusion of mobile or remote computing).

Chapter twenty-two is a nominal look at applications development.  A
vague and fragmentary overview of cryptography makes up twenty three.
Application development appears again in chapter twenty-four, along
with some pondering about access to operating system files.  (The
authors actually admit, in the text, that there is no necessary
relation between the two topics.)  Audit logs and incident response
are examined in twenty-five, a brief look at business continuity
planning is in twenty-six, lengthy advice to adhere to relevant (UK)
laws is in twenty-seven, and chapter twenty-eight suggests that you
use outlines from the authors' Website to prepare for a BS 7799 audit.

The text has a Web component to it, and this is referred to in a
number of places in the work.  However, it should also be noted that
this Web component is also promoted, in the publication, as a general
security management portal (unrelated to the book), and it is, in
fact, the Website of the consultancy run by one of the authors.  The
files available on the site do not deliver the promised information:
first, the files, when you do get to download them, lack any
indication as to type, and when you finally find out which file format
they are (mostly PDFs, with a few XLSs) the contents are generally of
the marketing brochure level, advising you to buy further materials
from the site.

The book is extremely verbose, with a turgid style that makes
excessive use of business buzzwords.  In addition, points are repeated
many times in different places with minor variations in wording or
emphasis.  The central content could have been provided in a much
shorter work (which would probably have been easier to read).  (Given
the targeted audience at the executive level, one would think that a
shorter work would have been more appropriate.)

Senior managers do not have to know all the technical details,
granted.  Even so, the level of technical information provided is
inconsistent, and the quality is often suspect.  It is probably more
important that the structure of the book makes no sense either in
technical or in management terms: the various subjects are dealt with
in a random fashion that will provide the reader with no understanding
of either the base technical concepts or the interdependencies between
different classes and types of controls.

While many senior managers may have desperate need of some kind of
guidance in regard to the management of security within information
systems, this work is probably not going to provide it.  The subtitle,
in particular, is misleading: there is a great deal of interest in BS
7799 and ISO 17799 but, aside from mentioning sections of the
standards relating to the topics under discussion, there is really no
information about the standards themselves.

copyright Robert M. Slade, 2006   BKITGVRN.RVW   20061007


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
        The things that count most in life, usually can't be counted.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSOITCU.RVW   20061013

"Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools",
Christian B. Lahti/Roderick Peterson, 2005, 1-59749-036-9,
U$49.95/C$69.95
%A   Christian B. Lahti
%A   Roderick Peterson
%C   800 Hingham Street, Rockland, MA   02370
%D   2005
%G   1-59749-036-9
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597490369/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597490369/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490369/robsladesin03-20
%O   Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   333 p. + CD-ROM
%T   "Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools"

"This book is essentially a technical book, with as much applicable
content as we could muster by way of open source technologies and how
they fit into the Sarbanes-Oxley sphere of influence."  Thus speaketh
the authors in chapter one (page 4), giving us, almost immediately,
fair warning that there may be problems in this book.  For one thing,
the Sarbanes-Oxley (SOX) law is *not* technical (if it were, the
drafters would have known not to give the central point related to
information technology section number 404).  The authors seem to be
intent on listing off all manner of open source programs, using the
magic title of SOX to add legitimacy to an otherwise aimless
catalogue.  (The use of vague buzzwords is also supposed to increase
the perceived erudition of the work, although the authors seem to
stumble occasionally, such as when they confuse the French "voila"
with the musical "viola" on page 5.)  If the authors were truly to
answer some of the questions that they pose (for example, is open
source software compliant with the law, and can it reduce the costs of
achieving and monitoring compliance) then the text might have some
utility.  However, there is no introduction to the legislation as
such, and the list of roles within an organization has little specific
relevance to the issues underlying the analysis, integrity, and
reporting of financial data.  Most of the space in the initial chapter
is devoted to screenshots of Knoppix, a poorly explained installation
section, and a list of the programs in the eGroupware application.

SOX and COBIT are supposed to be defined in chapter two.  SOX gets
almost no exegesis, while there is a list of some of the COBIT
objectives.  Chapter three lists various open source security tools,
has some random notes on policy and auditing, and a "sample" policy on
password change.  The usual promotional piece for open source software
makes up chapter four, with the standard arguments for using open
source, but no new rationale for the application to this particular
topic.

Chapters five through eight are based on four domains from COBIT
(loosely based on the Deming plan-do-check-act cycle).  In sequence,
we have planning and organization, acquisition and implementation,
delivery and support, and monitoring.  Each of the chapters has a
section entitled "What does [name of domain] mean?" but these
questions are not answered in any useful way.  Each chapter has an
extensive (but not comprehensive) list of tasks that might be
undertaken, and each delves deeply into the technical minutia of one
or more isolated topics.

Chapter nine finishes off with miscellaneous advice in random areas.

If you have no experience with security, and are scared stiff of even
approaching SOX, this book may get you working on some areas that will
probably be useful.  Mind you, if you don't get information from other
sources, you may find that there are gaps in your security that you
never considered.  If you are experienced in security, and want to
know about SOX or COBIT, and what you should do about them, you will
be very disappointed with what you find in this text.  If you want to
know about open source security tools, you will be even more
frustrated.

(Having a Knoppix boot CD around might be handy, if you know how to
use it.)

copyright Robert M. Slade, 2006   BKSOITCU.RVW   20061013
infosecbc@yahoogroups.com


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Those who are too smart to engage in politics are punished by
being governed by those who are dumber.       - Plato (427-347 B.C.)
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKPHSHNG.RVW   20061014

"Phishing: Cutting the Identity Theft Line", Rachael Liniger/Russell
Dean Vines, 2005, 0-7645-8498-7, U$29.99/C$38.99/UK#18.99
%A   Rachael Liniger
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2005
%G   0-7645-8498-7
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$38.99/UK#18.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764584987/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764584987/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764584987/robsladesin03-20
%O   Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   309 p.
%T   "Phishing: Cutting the Identity Theft Line"

The introduction to the book provides a good, and very realistic,
prologue to the topic of phishing.  The audience for the work is said
to consist of executives and incident response teams for banks and
large corporations, information security professionals, and general
Internet users.

Chapter one furnishes the reader with a solid overview of the subject,
although it would seem to be aimed primarily at individual Web and
email users.  "Phishing Emails," in chapter two, explains various spam
hiding and URL obfuscation technologies.  The list is not exhaustive,
but is sufficient to illustrate the basic concepts clearly.  (The
writing, in this chapter by Rachael Liniger, is delightful.  Wit and
humour are used extensively, and to good effect.)  Chapter three
presents information on false or obfuscated URLs, as well as useful
detail on pop-ups: the content is much superior to other sources on
the same topic.  (There is also an oddly placed section on public key
encryption.)  Spyware is reviewed in chapter four.

You cannot stop phishing completely, notes chapter five, examining
various players in the fight against identity theft and the
limitations of the action they can take.  Chapter six is supposed to
be about helping the organization to avoid phishing, and sets forth
some policies in regard to email and Websites that are very practical
in preventing abuse.  (The section on authentication schemes is less
so, and eventually the chapter devolves into random topics.)  A
generic and sometimes terse outline of incident response and network
forensics makes chapter seven poor in relation to other parts of the
book.  In terms of consumer education, chapter eight has a number of
recommendations for safer computing, with lots of "avoid Microsoft"
advice, but also configuration settings, a bit of email analysis
material, and an admonition to check your home finance statements
carefully.  Chapter nine deals with actions to take if you,
personally, are the victim of identity theft.  (Most of the agencies
mentioned are based in the United States, but the resource list does
have some additional contacts for the UK and Germany.)

Identity theft (and, by extension, phishing) is a major problem, and
not enough is being done to address the issue.  This book lays out the
risks and threats clearly, and proposes practical solutions for a
variety of actors in the drama.  The text is readable and the concepts
are clear.  I can recommend this work to almost anyone involved in a
security role, particularly those in the financial or online
industries, law enforcement, or working in the field of security
awareness.

copyright Robert M. Slade, 2006   BKPHSHNG.RVW   20061014


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Ah! When I were lad, we used to 'ave t'wait 40 milliseconds
on noisy channel wi' 'uge 58 volt bits *and* rounded edges
for a network link to come oop--*and* login both ends!
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKARPRMA.RVW   20061023

"The Art of Project Management", Scott Berkun, 2005, 0-596-00786-8,
U$39.95/C$55.95
%A   Scott Berkun www.scottberkun.com
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00786-8
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$55.95 800-998-9938 707-829-0515 fax: 707-829-0104
%O  http://www.amazon.com/exec/obidos/ASIN/0596007868/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596007868/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596007868/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   488 p.
%T   "The Art of Project Management"

The preface states that the audience for the book consists of new or
experienced managers or team leaders, programmers working on large
projects, or students of business management, product design, or
software engineering.  Chapter one is titularly a history of project
management, but contains vague and pedestrian advice with little
historical background of any substance.  There is a mention that
Microsoft's program management incorporates both technical and
marketing input, but the text does not say much about management as
such.  (Berkun does state that Microsoft's system is an example of
"matrix organization," but although this term is used a number of
times and is obviously significant to the author, the concept is not
well defined in the book.)  A list of conflicting behaviours and
characteristics of managers could possibly be useful as a reminder to
examine one's own preferences and conduct.

Part one outlines the planning phase and activities involved in a
project.  Chapter two takes a rather pessimistic look at schedules.
There are good points on the purpose and psychological benefits of
timetables, as well as practical advice on rough estimates and how to
make them more accurate, but the material is also bloated with
verbiage.  The look at planning, in chapter three, concentrates on
arguments and communications, and is not organized very well.  "The
vision thing" is often undefined in business, and chapter four doesn't
stray far from the vague model, but it does cover overall objectives
and offers some tips on how to write vision documents.  Chapter five,
while it is supposed to deal with how to generate ideas, focusses on
requirements, specifications, and the elicitation of those details.
Scope creep, an ever present danger in any project, is minimally
analyzed in chapter six.

Part two turns to specific project management skills.  Chapter seven
examines the writing of specifications, and is mostly a warning
against the over-engineered "one-size-fits-all" templates suggested
for that purpose.  After telling us that the standard advice on making
decisions is of no use, Berkun gives us the standard advice on making
decisions, in chapter eight.  The usual admonitions are also given in
chapter nine, this time about communication and relationships.  It is
rather ironic that chapter ten, in giving a list of ways to annoy
people (and conversely, how not to), states right off the top that the
best way to make people turn you off is to assume that they are
ignorant.  The text then goes on to provide generic and banal counsel
on process (mostly administrative controls).  The recommendations on
using email repeat tips given previously on communications, and miss
the fact that email really is a very specialized form and subject to
generating misunderstandings.  The tips for planning meetings are
decent, but limited.  Chapter eleven has vague guidance on what to do
when things go wrong.

Part three is entitled management, but concentrates on leadership.
Some good messages on trust are given in chapter twelve, but the
content is more verbose than necessary, and the basic tips get lost in
the stories.  Chapter thirteen is supposed to be about "making things
happen," but ends up being a grab bag of project operation topics and
tips.  Scheduling is revisited in chapter fourteen, with more low-
level detail.  It's hard to pin down a topic for chapter fifteen, but
much of the content deals with changes to requirements, and setting
priorities for handling bugs.  Chapter sixteen finishes off the book
with a melange of politics and psychology.

Experienced managers might find this amusing and potentially useful
bedtime reading: there won't be anything new, but there may have been
some things you've forgotten.  Those who are new to the management
task will probably find this to be a helpful guide: there are pieces
missing, but most of the important stuff is here, and it gives you
enough to get going.

copyright Robert M. Slade, 2006   BKARPRMA.RVW   20061023


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
It is easier to get forgiveness than permission.    - Alan J. Perlis
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKPTOSTK.RVW   20061031

"Penetration Tester's Open Source Toolkit", Johnny Long et al, 2006,
978-1-59749-021-0, U$59.95/C$83.95
%A   Johnny Long et al johnny.ihackstuff.com
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   978-1-59749-021-0
%I   Syngress Media, Inc.
%O   U$59.95/C$83.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O   www.amazon.com/exec/obidos/ASIN/9781597490210/robsladesinterne
%O   www.amazon.co.uk/exec/obidos/ASIN/9781597490210/robsladesinte-21
%O   www.amazon.ca/exec/obidos/ASIN/9781597490210/robsladesin03-20
%O   Audience s Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   704 p. + CD-ROM
%T   "Penetration Tester's Open Source Toolkit"

There is no preface or explanation for the book, so you have to infer,
from jacket references and other mentions, that the work is based
(possibly very loosely) on Max Moser's Auditor Security Collection of
(open source) penetration testing tools, available at www.remote-
exploit.org.  It is difficult to say how close the relationship
between the text and the CD is, since there isn't even a listing of
the contents of the Auditor Security Collection, although the
collection is included on the CD-ROM that is packaged with the primer.

Chapter one addresses the reconnaissance phase of a penetration.
There is a general introduction to the task and a listing of some
available tools, both in software and utility Websites.  Some of the
concepts of port scanning are outlined in chapter two, although the
explanations are sometimes careless.  (It is possible to obtain
information related to scanning through passive means, but the
implication that port scanning itself is a passive activity is
misleading at best.)  A few tools for examining Oracle and Microsoft
SQL Server databases are listed in chapter three.  Chapter four turns
to Web servers (and applications).  Various tools are described,
mostly with extensive (and not always illustrative) screenshots.
There is also a brief but wide-ranging overview of general penetration
testing ideas (such as methods for trying to find the ever-present
buffer overflows).  Wireless networks are described in detail in
chapter five, particularly in terms of the weaknesses of the various
forms of encryption technologies used.  Chapter six describes a number
of standard network utilities, plus some of the more recent mapping
and enumeration tools.

Chapter seven is supposed to introduce readers to the joys of writing
security utilities for the open source community, but screenshots of
development environments and lists of keywords are not going to teach
anyone to code, let alone design elegant tools.

There is a meager description of the Nessus vulnerability scanner in
chapter eight, although it is complimented by a detailed outline of
the Auditor startup script and options.  Chapter nine covers the
Nessus Attack Scripting Language (NASL) so you can script your own
attacks.  Nessus libraries and references are discussed in chapter
ten.  The calls for Nessus SMB (Server Message Block) programming, in
chapter eleven, allow attacks to be scripted for Microsoft Windows
systems.

Chapter twelve is an introduction to the interfaces and options of the
Metasploit Framework (MSF) exploit and vulnerability coding utility.
Chapter thirteen purports to be about writing your own exploits for
and in Metasploit, but instead walks through the examination of a
buffer overflow situation.  Metasploit tools are used, but poorly
explained, and the exegesis of writing modules for Metasploit is
similarly inadequate.

The chapters of the book are written by different authors, so the
quality of both writing and material varies tremendously.  The lack of
direction in terms of the intent of the work does not help in
assessing either the overall value or specific groups who might
benefit from the text.  Much of the space is taken up with screenshots
and illustrations of dubious merit, and the text, while often
informative, is sparsely structured and generally aimed at a level
which is either too simplistic or too advanced to be used as an
introduction to the tools or techniques being discussed.  There are
nuggets of information throughout the work, but you have to plow
through a lot of stuff to find them.

copyright Robert M. Slade, 2006   BKPTOSTK.RVW   20061031


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Heaven is my throne and the earth is my footstool.  Where is the
house you will build for me?  Where will my resting place be?
Has not my hand made all these things, and so they came into
being?                                               - Isaiah 66:1,2
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKKIM.RVW   20061124

"Kim", Rudyard Kipling, 1901, 0-812-56575-4
%A   Rudyard Kipling
%C   49 West 24th Street, or 175 Fifth Avenue, New York, NY  10010
%D   1901 (no, it isn't a Y2K joke)
%G   0-812-56575-4
%I   Tor Books/Tom Doherty Assoc.
%O   pnh@... www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0812565754/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0812565754/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0812565754/robsladesin03-20
%O   Audience n+ Tech 3 Writing 3 (see revfaq.htm for explanation)
%P   307 p.
%T   "Kim"

Kipling packed a great deal of information and concept into his
stories, and in "Kim" we find The Great Game: espionage and spying.
Within the first twenty pages we have authentication by something you
have, denial of service, impersonation, stealth, masquerade, role-
based authorization (with ad hoc authentication by something you
know), eavesdropping, and trust based on data integrity.  Later on we
get contingency planning against theft and cryptography with key
changes.

Beyond all this, and repeatedly throughout the story, we have social
engineering: misdirection, analysis of situations and characters, the
maneuvering and manipulating of people so that they do what you want,
all the while thinking that it was their idea.  The explanation given
is at once subtle and lucid, and is both more useful and much more
entertaining than that given by Mitnick in "The Art of Deception" (cf.
BKARTDCP.RVW).

Kipling is, perhaps, too gentle a writer for the thriller genre.  He
is, though, a better wordsmith than most of those who work in that
idiom.  His command of dialogue is unparalleled: in "Kim" there is no
need to identify the individual speakers, for they are as instantly
distinguished in the text as they would be by speech.

I heartily recommend "Kim" to anyone in the security field, or anyone
who wants a decent read.

copyright Robert M. Slade, 2006   BKKIM.RVW   20061124

Merry Christmas

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
As long as the world is turning and spinning, we're gonna be
dizzy and we're gonna make mistakes.                    - Mel Brooks
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKUMCBCR.RVW   20061105

"Understanding and Managing Cybercrime", Samuel C. McQuade, 2006,
0-205-43973-X
%A   Samuel C. McQuade scmcms@...
%C   75 Arlington Street, Boston, MA   02116
%D   2006
%G   0-205-43973-X
%I   Allyn and Bacon (Pearson)
%O   U$60.80/C$77.200 www.ablongman.com
%O  http://www.amazon.com/exec/obidos/ASIN/020543973X/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/020543973X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/020543973X/robsladesin03-20
%O   Audience i+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   500 p.
%T   "Understanding and Managing Cybercrime"

The preface states that this book should be considered an introductory
text to the field of cybercrime (although it does not define what that
topic is until chapter one of the book).  The guide is addressed to
two audiences of students, those in the field of information
technology administration and management, and those in the field of
criminology.  McQuade suggests that the work can be used as a primer
in basic courses expounding on information systems security, and may
also be used as a supporting volume for curricula in sociology, law,
public administration, public policy, or ethics courses that deal with
information system crime and abuse.  In the Foreword, Charles Wellford
notes the increase in significance of crimes related to, or
perpetrated via the use of, computers.  Whereas crime statistics of
traditional types have been falling in recent years, cybercrime has
exploded in an environment where traditional law enforcement has been
largely unprepared.

Part one introduces the field, and outlines the growth, of cybercrime.
Chapter one starts out with a valuable addition to the discussion of
the sociology of cybercrime: the concept of "relative" normality and
deviance of behaviour in a new and rapidly changing field.  The author
then moves on to note the range of terms and activities covered under
the cybercrime reference, and to note the importance of defining those
terms not only in regard to research, but particularly in relation to
law and prosecution.  (Sam, since I have attacked the whole *concept*
of salami scams for years, and have received only a single [and
minimal: the "drive-through" incident noted in the RISKS-FORUM Digest]
instance of one occurring, you can*not* expect me to let footnote 11
pass unchallenged: it should be a documented citation, not a mere
explanation.)  The questions provided at the end of the chapter are
not simply reading checks, but thoughtful items to prompt discussion
of critical concepts.  The protection of information and other assets
is covered in chapter two, starting with the nature of information
itself, moving through the standard concepts of information security,
and ending up with critical infrastructure protection (which may be a
bit of overkill).  Chapter three reviews the various types of cyber
attacks and crimes.  I was intrigued to note the inclusion of a
section on academic computer abuses (generally a neglected topic), and
pleased with the realistic assessment of cyberterrorism, but the
structure and taxonomy of attacks could use some work.  In addition,
the material on malware is quite weak: the definitions for differing
types are better than many in general security works, but many of the
surrounding explanations are false or misleading.  For example,
McQuade partially uses the Cohenesque definition that viruses must
infect existing programs (which is no longer true of recent versions),
and implies that a user is required for viral reproduction and spread
(viruses generally require some user action for invocation, but spread
is usually automated).  Additionally, he makes the rather questionable
assertion that the skills necessary for creating malware are the same
as those required to defend national security.  The psychology of
cybercriminals and abusers is reviewed in chapter four, which also
provides a very detailed classification for social engineering, and
Donn Parker's SKRAM (skill, knowledge, resources, access, motivation)
model for assessing attackers.  McQuade notes the difficulty in
getting agreement on a profile for computer abusers, but does not
address the changing style of attacks and attackers over time.

It is interesting that chapter four is not contained within part two,
which addresses social thought on cybercrime.  Chapter five, in a
sense, extends chapter four's discussion of categories of criminals by
providing an overview of major criminologic theories: it would have
been interesting to see the classification schema analyzed in light of
the hypotheses, but simply having the philosophies outlined here is a
major contribution to the information security literature.  In
assessing the impact of cybercrime, in chapter six, McQuade notes that
there is both economic and social damage to be determined.  However,
this merely exacerbates an existing problem: the author also points
out the lack of reliable information, even in regard to economic
losses alone.  It is difficult to know what to make of chapter seven.
Titularly it promises emerging and controversial topics in cybercrime.
However, the discussion of the necessity for attack skills in regard
to defence (promised in chapter three) never appears.  The topics that
are presented would seem to extend either the first section of chapter
one (noting that computers are changing various activities in
society), or chapter three (listing different types of attacks).

Part three moves to the management of cybercrime: prevention and
protection.  Although chapter eight deals with legal philosophies and
types of laws, most of the material is only relevant to the United
States.  The limitations on investigators, which is the primary
content of chapter nine, is again mostly restricted to the United
States.  There is material on investigation and computer forensics
(although network and software forensics do not appear to be covered),
but it is fairly brief.  Chapter ten's review of information security
is oddly disjointed: parts are academic in tone, parts read like a
"secure your home computer" pamphlet, and parts promote risk
assessment models best suited to major corporations.  Future
activities (mostly at the federal government level) that might help
reduce cybercrime is one part of chapter eleven, the other is a
discussion of computer ethics.

The book is readable, and entertaining in sections.  Most of the
information is reasonable.  However, suggesting this as a sole text
for an information security course would be unwise: it is weak in a
number of technical areas.  As an adjunct text it would be excellent:
the law enforcement perspective is all too often neglected in security
literature.

copyright Robert M. Slade, 2006   BKUMCBCR.RVW   20061105


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
            GOVERNMENT.SYS corrupted, reboot Ottawa? (Y/N)
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKINITGV.RVW   20061106

"International IT Governance", Alan Calder/Steve Watkins, 2006,
0-7494-4748-6, U$80.00/UK#45.00
%A   Alan Calder www.27001.com
%A   Steve Watkins
%C   120 Pentonville Rd, London, UK, N1 9JN
%D   2006
%G   0-7494-4748-6
%I   Kogan Page Ltd.
%O   U$80.00/UK#45.00 +44-020-7278-0433 kpinfo@...
%O  http://www.amazon.com/exec/obidos/ASIN/0749447486/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0749447486/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0749447486/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   366 p.
%T   "International IT Governance: An Executive Guide to ISO
       17799/ISO 27001"

Chapter one lists various threats.  A minimal explanation of the US
Sarbanes-Oxley law is in chapter two.  A muddled description of ISO
17799 and 27001 is in chapter three.  Chapter four lists bits of a
possible security management project.  A generic statement about
security policies is in chapter five.  Chapter six contains a verbose
but sketchy outline of risk assessment.

The risk of external users is discussed in chapter seven.  Although
the title of chapter eight suggests it deals with assets, most of the
material concentrates on classification.  Various aspects of
employment are listed in chapter nine.  Random topics to do with
facility physical security are in chapter ten, and equipment
protection in eleven.  Chapter twelve is entitled "Communications and
Operations Management" and instead talks about contracts.

Viruses are examined (poorly) in chapter thirteen, along with a brief
mention of backups.  Fourteen has another odd pairing: network
security and media handling (both treated very tersely).  "Exchanges
of information," in fifteen, seems to mean email.  Certain aspects of
electronic commerce are mentioned in sixteen.  Email gets another
review in seventeen.

There is a surprisingly reasonable outline of access control (with an
odd inclusion of blackhat activities) in chapter eighteen.  Chapter
nineteen turns to network access control, with "operating system"
access control in twenty, and a weird amalgam titled "application
access control and teleworking," in twenty-one.

System development is the topic of chapter twenty-two.  Cryptography
gets an extremely terse overview in twenty-three.  Development comes
back for a second try in twenty-four.  Audit and logging is listed in
twenty-five and business continuity in twenty-six.  "Compliance," in
twenty-seven, simply catalogues various laws.  Chapter twenty-eight
finishes off with a short description of what to expect in an ISO/IEC
27001 audit.

The text has a Web component to it, and this is referred to in a
number of places in the work.  It should be noted that this Web
component is also promoted, in the publication, as a general security
management portal (unrelated to the book).  However, it is, in fact,
the Website of the consultancy run by one of the authors.  The files
available on the site do not deliver the promised information: first,
the files, when you do get to download them, lack any indication as to
type, and when you finally find out which file format they are (mostly
PDFs, with a few XLSs) the contents are generally of the marketing
brochure level, advising you to buy further materials from the site.

The book is somewhat less verbose and turgid than the earlier "IT
Governance" (cf. BKITGVRN.RVW), but is astoundingly similar in many
ways.  The quality of technical information is inconsistent and
suspect, and the structure is random.  Managers will not find
guidance in regard to the management of security within information
systems, nor about ISO 17799/27001.

copyright Robert M. Slade, 2006   BKINITGV.RVW   20061106


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I have often stood there and looked out upon my past life and
upon the different surroundings which have exercised their power
upon me: and the pettiness which so often gives offense in life,
the numerous misunderstandings too often separating minds which
if they properly understood one another would be bound together
by indissoluble ties, vanished before my gaze.   - Soren Kierkegaard
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm