BKKPIPIP.RVW   20061119

"Knowledge Power: Intellectual Property, Information and Privacy",
Renee Marlin-Bennett, 2004, 1-58826-281-2, U$23.50
%A   Renee Marlin-Bennett
%C   1800 30th St., Boulder, CO   80301
%D   2004
%G   1-58826-281-2
%I   Lynne Rienner Publishers
%O   U$23.50 www.rienner.com
%O  http://www.amazon.com/exec/obidos/ASIN/1588262812/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1588262812/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1588262812/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   273 p.
%T   "Knowledge Power: Intellectual Property, Information and Privacy"

Chapter one examines the idea of intellectual property (IP).  This
analysis could have been either prescriptive (what IP should be) or
descriptive (what IP is, usually in terms of law), but instead it
mostly opines prescriptively, and, when there is a need to take a
stand, cravenly goes to what the legislation (generally from the
United States) says.  (There is some mention of international
differences.)  A link between privacy and IP is promised in one
section, but not delivered.  A historical overview of the development
of IP is given in chapter two: when it gets to current definitions we
are again presented with US law.  Treaties and organizations
attempting to bridge national differences in IP are listed in chapter
three.  Chapter four presents some examples of problem areas in IP,
such as pharmaceutical patents and those on sections of the human
genome.

A few philosophical views and theories of information are outlined in
chapter five, followed by a discussion of information of various types
and values.  (The deliberation would have been more interesting if the
types had been analyzed in light of the different theories.)  Chapter
six looks into the pros and cons of "ownership" and limitation of
public types of data, such as that in regard to weather and geography.
Similarly, chapter seven has the same type of discussion regarding
information about people (much of it in relation to issues of
surveillance.)  Chapter eight has the same problems with the
definition of the topic that most other works have had, which is
possibly why the remaining examination seems unhelpful.  There are
numerous technical errors ("Magic Lantern" is *not* a virus) in
chapter nine's discussion of privacy breaches.  Similarly, the
deliberation on privacy protection technology, in chapter ten, is
flawed.  Chapter eleven finishes off with vague opining.

There are a number of other books that address the topic of privacy at
the same superficial level, such as "Benjamin Franklin's Website" by
Robert Ellis Smith (cf. BKBNFRWS.RVW), Simson Garfinkel's "Database
Nation" (cf. BKDBSNTN.RVW), Peterson's "I Love the Internet But I want
My Privacy Too" (cf. BKILIWMP.RVW), Cannon's "Privacy" (cf.
BKPRVACY.RVW), and "The Privacy Papers" by Rebecca Herold (cf.
BKPRVPAP.RVW).  Then there are the superior works that define the
field, like "Technology and Privacy: The New Landscape" by Agre and
Rotenberg (cf. BKTCHPRV.RVW), 1997, Cady and McGregor's surprisingly
good "Protect Your Digital Privacy" (cf. BKPYDPRV.RVW), "Internet and
Online Privacy" by Frackman, Martin and Ray (cf. BKINONPR.RVW),
Schneier and Banisar's entertaining and informative "Electronic
Privacy Papers" (cf. BKELPRPA.RVW), and "Privacy on the Line"by
Whitfield Diffie and Susan Landau (cf. BKPRIVLN.RVW).

True, as with David Brin's "The Transparent Society" (cf.
BKTRASOC.RVW), Marlin-Bennett promises a unique premise, in this case
a tie between privacy and intellectual property.  Unlike Brin, in this
book the link is not strongly demonstrated.  We are, therefore, left
with a somewhat simplistic review of the topics listed in the title.

copyright Robert M. Slade, 2006   BKKPIPIP.RVW   20061119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The greatest obstacle to discovery is not ignorance -- it is the
illusion of knowledge.                          - Daniel J. Boorstin
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSSGHNI.RVW   20061119

"Security Sage's Guide to Hardening the Network Infrastructure",
Steven Andres/Brian Kenyon, 2004, 1-931836-01-9, U$59.95/C$79.95
%A   Steven Andres
%A   Brian Kenyon
%C   800 Hingham Street, Rockland, MA   02370
%D   2004
%G   1-931836-01-9
%I   Syngress Media, Inc.
%O   U$59.95/C$79.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1931836019/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1931836019/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1931836019/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   512 p.
%T   "Security Sage's Guide to Hardening the Network Infrastructure"

Chapter one seems to discuss the ideas of network segmentation,
possibly with an eye to the necessity for providing extra controls for
sensitive compartments within your network.  A number of sniffing and
scanning tools are listed in chapter two, most with fairly limited
descriptions.  A confused and unstructured look at firewalls is in
chapter three.  Chapter four lists a number of vulnerabilities from
old versions of firewalls.  Some of chapter five outlines the use of
routers as packet filtering firewalls, but more of it is directed to
simplistic configuration changes that might help harden the devices.
Chapter six is a grab bag of random (and tersely described) network
security safeguards.  An explanation of network switches, with limited
application to security, is in chapter seven.  Various attacks and
exploits are enumerated in chapter eight.  Intrusion detection systems
(and a few other tools) are discussed in chapter nine.  Some thoughts
on network design are given, for perimeters in chapter ten, and
internal networks in eleven.

If you are completely new to network security you will find some
information in this book to get you started, but in a limited and
scattered fashion.  There are any number of better books that provide
a more comprehensive and better structured outline, such as William
Stallings' "Cryptography and Network Security" (cf. BKCRNTSC.RVW) or
"Network Security" by Kaufman, Perlman, and Speciner (cf.
BKNTWSEC.RVW).

copyright Robert M. Slade, 2006   BKSSGHNI.RVW   20061119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Son of man, prophesy against the shepherds of Israel; prophesy
and say to them: 'This is what the Sovereign Lord says:  Woe to
the shepherds of Israel who only take care of themselves!  Should
not shepherds take care of the flock?'                - Ezekiel 34:2
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKAPASEC.RVW   20061119

"Apache Security", Ivan Ristic, 2005, 0-596-00724-8, U$34.95/C$48.95
%A   Ivan Ristic www.apachesecurity.net
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2005
%G   0-596-00724-8
%I   O'Reilly & Associates, Inc.
%O   U$34.95/C$48.95 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596007248/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596007248/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596007248/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   396 p.
%T   "Apache Security"

In the preface, the author states (along with remarks about the value
of books with which I heartily concur) that this work is intended to
provide system administrators, (Web application) programmers, system
architects, and Web security professionals "all the information one
needs to secure an Apache-based system."  It's a tall order.  In
addition to the details of Apache, "[s]ecurity concepts relevant for
discussion are introduced and described whenever necessary."  (The
specifics of Apache are given for the 1.x and 2.0.x branches of the
project.  Operating system examples use Linux.)

Chapter one sets out a brief but useful background to security, albeit
with some minor idiosyncracies in vocabulary.  (Threats are not listed
in the basic terms, and what is otherwise known as risk assessment is
described under the phrase "threat modelling."  Risk is not completely
ignored: a short section is entitled "Calculating Risk.")
Installation and configuration, in chapter two, outlines a number of
measures to make the Web server more secure, and lists helpful
information such as those modules which are not strictly necessary and
may become a point of attack.  (The reasons for the extensive
discussion of the concept of "jail" or "chroot" may not be immediately
obvious to those not using Linux, but the details of the deliberation
should make the issues clearer.)  General instructions for
installation of PHP, the popular language for scripting Web
activities, is covered in chapter three, along with configuration
options and modification for more secure operations.  There are also
cross-references to other chapters for instructions on protection
against specific attacks.  Chapter four looks at SSL (Secure Sockets
Layer), starting with a basic but handy background in cryptography,
installation and configuration of OpenSSL, and finishing off with a
section on certificates and the necessary parts of a public key
infrastructure for running your own certificate authority.  Denial of
service (DoS) attacks are reviewed in chapter five, which examines the
possibilities for network attacks.  (No protection is suggested, since
these attacks are not strictly related to Apache.)  There is an
interesting mention of the ways you can create problems for yourself,
with a list of problems specific to Apache itself (there are controls
suggested for these latter two topics).

Chapter six notes the problems with sharing servers among multiple
users.  Noting that there is no single answer for these issues,
various options are analyzed.  The details on most of the alternatives
are left to the reader to explore, a reasonable position given the
complexity of the problem.  Fundamental concepts of access control are
described in chapter seven, along with standard Apache authentication
tools and single sign-on (SSO) choices.  Types of logs, custom
options, strategies for storing and monitoring audit information, and
external log and review tools are all part of chapter eight.  The
avoidance of network attacks in chapter five is somewhat inconsistent
in view of the fact that chapter nine surveys the infrastructure,
including system and network hardening.  Chapter ten lists various
general difficulties and attacks that are generically part of Web
applications, but does not address safeguards for most of them
(although it does reference many Web resources dealing with specific
topics and exploits).  Instructions and resources for performing a
penetration test or security review on yourself are contained in
chapter eleven.  Chapter twelve discusses some factors in intrusion
detection, has a bit of confusing editorial comment, but mostly
describes the author's mod_security application firewall.

Ristic basically fulfills his promise.  The minor faults with the book
do not detract from the fact that any Apache administrator or
developer will benefit, in terms of increased security, from the
information provided in this book.

copyright Robert M. Slade, 2006   BKAPASEC.RVW   20061119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The test of a first-rate intelligence is the ability to hold two
opposed ideas in mind at the same time and still retain the
ability to function.                        - F. Scott Fitzgerald
              http://www.wileytoons.com/comics/1999/november/1127.jpg
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKCRCMCR.RVW   20061206

"Creative Computer Crafts", Marcelle Costanza, 2006, 1-59327-068-2,
U$24.95/C$32.95
%A   Marcelle Costanza computercrafts@... www.thecraftypc.com
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2006
%G   1-59327-068-2
%I   No Starch Press
%O   U$24.95/C$32.95 415-863-9900 fax 415-863-9950 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/1593270682/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1593270682/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593270682/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   160 p.
%T   "Creative Computer Crafts"

In the introduction we learn that the author has been a crafter for a
long time, that she started doing crafty-type things with a computer
when she had access to one, that she has developed a business around
computer crafts, and then wrote this book.

Part one is the book itself, such as it is.  In chapter one we learn
the stuff from the introduction again, with more details.  The tools
of the computer crafter's trade are covered in chapter two.  This
material should be useful, and it is, in isolated sections.  For
example, there are a number of details about different types of inkjet
inks, including edible inks.  This material would have been more
useful had there been more information about the makes and models of
printers that would accept specialty inks.  There is some content in
regard to different paper paths in printers, but it is not related to
text elsewhere about different types of print media.  The advice in
regard to the computer itself boils down to "more is better."  Some of
the information is related only to crafting and has nothing to do with
the computer, while other facts appertain only to computers (and MS
Windows, at that) and have no bearing on crafts.  Starting your own
craft business is the topic of chapter three, and while the advice on
subjects to research would be handy for those with no business
background, it probably wouldn't be of much help to those wanting to
get started.  (It reminds me of "Don't Get Burned on eBay" [cf.
BKDGBOEB.RVW]: if you are already involved the tips can help you stay
out of trouble, but if you aren't already there, the possible horror
stories will keep you out of the activity altogether.)  (One other
factor: neither in this section nor in chapter two is there any
discussion of the rather horrific prices for inkjet inks and specialty
media, nor any suggestions for reducing those costs.)

Part two lists fifty craft projects.  Many of these would seem to be
possible with a colour photocopier.

If you use a computer and want something else to do with it, you might
find some ideas in the book, but maybe not with the equipment that you
have.  If you are a crafter and want to do something interesting with
the family PC, you might be more inclined to favour the ideas found in
this volume.  If you want to set up your own business creating
trinkets and specialty items ... watch your costs.

copyright Robert M. Slade, 2006   BKCRCMCR.RVW   20061206


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The purpose of computing is insight, not numbers.
                                             - Richard Wesley Hamming
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSECGOV.RVW   20061110

"Security Governance", Fred Cohen, 2005, 1-878109-37-5
%A   Fred Cohen http://all.net
%C   572 Leona Dr, Livermore, CA   94550
%D   2005
%G   1-878109-37-5
%I   Fred Cohen and Associates
%O   925-454-0171 all.net
%O  http://www.amazon.com/exec/obidos/ASIN/1878109375/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1878109375/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109375/robsladesin03-20
%O   Audience a Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   96 p.
%T   "Security Governance: Business Operations, Risk Management, and
       Enterprise Security Architecture"

Most of the security frameworks available are in the form of a
checklist, so why shouldn't Cohen's CISO Toolkit (see also
BKCISOGG.RVW for the "Governance Guidebook" and BKCISOHB.RVW for "The
CISO Handbook") have one?

In fact, Cohen's version may be considerably easier to understand and
use, particularly for those with a business, rather than a security,
background.  While most security frameworks are structured according
to a taxonomy of security concepts, the checklist in "Security
Governance" is based on business models and concepts.  For example,
the four major divisions are made on the basis of business functions
and modelling, oversight, business risk management, and enterprise
security management.  Therefore, the businessperson working through
the points will start with the familiar, and only later have to face
items directly discussing security.  (Even then, the security issues
are those regarding the position and management of security within the
organization.)

Regardless of other security frameworks that you may use, Cohen's
checklist will be of value.  While many items will have relations to
details in other indices, the articles and entities in "Security
Governance" address a number of issues that are not found in most
security frameworks.  Let's face it: regardless of the emphasis or
perspective, security frameworks tend to follow the same general
outline.  Cohen's work is idiosyncratic--and, in this case, that's a
useful characteristic.

Also, most security frameworks give you a checklist of about 135 items
for roughly U$150: Cohen gives you over 900 points for U$49.00.

copyright Robert M. Slade, 2006   BKSECGOV.RVW   20061110


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
     If all the world is a stage, where is the audience sitting?
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKIPODMM.RVW   20061213

"iPod: The Missing Manual", J. D. Biersdorfer, 2007, 0-596-52978-3
978-0-596-52978-9, U$19.99/C$25.99
%A   J. D. Biersdorfer JD.Biersdorfer@...
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2007
%G   0-596-52978-3 978-0-596-52978-9
%I   O'Reilly & Associates, Inc.
%O   U$19.99/C$25.99 707-829-0515 fax: 707-829-0104 nuts@...
%O  http://www.amazon.com/exec/obidos/ASIN/0596529783/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0596529783/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596529783/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   239 p.
%T   "iPod: The Missing Manual, Fifth Edition"


The introduction outlines, in rather enthusiastic (if *extremely*
terse) text, the iPod product, and then explains the standard
references used in technical books for those who don't read any
technical books.

Chapter one is a presentation of the iPod as it comes out of the box.
Unfortunately this may be a bit confusing at first, if you don't have
a standard configuration of a full-scale iPod, a Macintosh computer,
and an iTunes account already loaded with songs.  For other situations
there are a number of provisos that do not make clear what you can and
cannot do.  Menus and settings (and a few other topics such as cases,
games, and battery charging) are listed in chapter two.  The iTunes
program (as opposed to the online store), and various functions are
described in chapter three.  The descriptions are sometimes a bit
lacking: there is mention of the ability to convert from one audio
format to another, but no catalogue of the range of files that can be
accommodated, nor the format requirements for the iPod player itself.
Chapter four deals with the creation and modification of playlists
(with a few items in regard to the management of song files).  The
iTunes Store (as opposed to the computer utility) is the subject of
chapter five.  Video capabilities are reviewed in chapter six.
Chapter seven turns to the storing and playing of photos and
slideshows.  The utility software that comes with the iPod gets an
overview in chapter eight, for some reason along with one hardware
device that you can buy separately.  Chapter nine lists speakers and
accessories.  A few troubleshooting tips (mostly limited to the
equivalent of rebooting or upgrading software) and some options for
service are mentioned in chapter ten.  Chapter eleven finishes off
with a few ideas of things to do that might be related to iPods (but
doesn't go into how to do them).

While this manual may be helpful to some, it is going to be somewhat
frustrating for others: a lot of the information is still missing.
This is not because Biersdorfer doesn't know her stuff: her earlier
"iPod and iTunes: The Missing Manual" (cf. BKIPDITN.RVW) does cover
issues that are not included in this work.

On the other hand, maybe there is a big market that wanted more and
prettier pictures, but a lot less information.

copyright Robert M. Slade, 2006   BKIPODMM.RVW   20061213


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
My son is not brilliant; he's not genius. Anyone that has any
computer knowledge could have done what Jeff did. It doesn't take
a level of genius to do this.
   - mother of teen charged with modifying a virus - got *that* right
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKDBEDMZ.RVW   20061223

"Designing and Building Enterprise DMZs", Ido Dubrawsky et al, 2006,
1-59749-100-4, U$59.95/C$77.95
%E   Ido Dubrawsky
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-100-4
%I   Syngress Media, Inc.
%O   U$59.95/C$77.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491004/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491004/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491004/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   714 p.
%T   "Designing and Building Enterprise DMZs"

Chapter one does outline some basic DMZ (DeMilitarized Zone) concepts
and design, but is vague and verbose, with many large (in page size)
and simplistic (in terms of information content) illustrations with
little detail and minimal differences between them.  (Figures 1.5 and
1.6 are, in fact, identical, even though they purport to show
different topologies.)  Windows DMZ design, in chapter two, is both
too broad (it discusses very general aspects of planning for a DMZ
setup) and too detailed (the text almost immediately jumps into the
specifics of particular outside hardware to be purchased for an
isolated example) to be of practical use.  Much the same is true of
chapter three, which is based on Sun's Solaris operating system.

Chapter four lists wireless network attacks and some security
technologies, but doesn't really deal with DMZ aspects, and chapter
five, purportedly about implementing wireless DMZs, just has lots of
screenshots for installing various products.

Chapter six starts a section of the book cataloguing various firewall
products.  In this case it is Cisco's PIX and ASA systems, and
discusses unit specifications, licensing, and some Cisco commands.
Chapters seven through ten, respectively about Checkpoint,
SecurePlatform and Nokia, NetScreen, and ISA Server 2005, basically
contain screenshots for installation and configuration.

Chapter eleven, entitled "DMZ Router and Switch Security," would have
been a good place to deliberate on security considerations of the
different routing protocols, but only suggests hardening routers and
switches.  VPN (Virtual Private Network) topologies and products are
noted in chapter twelve, with almost no mention of DMZs at all.  The
standard advice for building MS Windows bastion hosts is in chapter
thirteen.  We are told to remove unnecessary services (without being
told which are necessary), to rename the administrator account
(although nobody mentions that the renamed account can still be
determined), and the text recommends using Terminal Services (even
though this service is widely considered to be a security risk).  Most
of the material is about how to use the configuration utilities,
rather than suggestions on the settings themselves.  Much the same
type and level of advice is given in chapter fourteen, in regard to
Linux.

Ultimately, while there is content in the work that can be helpful in
terms of security, there is relatively little that actually relates to
DMZ concepts, design, use, or protection.

copyright Robert M. Slade, 2006   BKDBEDMZ.RVW   20061223


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
What about the main thing in life, all its riddles?  If you want,
I'll spell it out for you right now.  Do not pursue what is
illusory--property and position: all that is gained at the
expense of your nerves decade after decade, and is confiscated
in one fell night.  Live with a steady superiority over life--
don't be afraid of misfortune, and do not yearn after happiness;
it is, after all, all the same: the bitter doesn't last forever,
and the sweet never fills the cup to overflowing.  It is enough
if you don't freeze in the cold, and if thirst and hunger don't
claw at your insides.  If your back isn't broken, if your feet
can walk, if both arms can bend, if both eyes see, and if both
ears hear, then whom should you envy?  And why?  Our envy of
others devours us most of all.  Rub your eyes and purify your
heart--and prize above all else in the world those who love you
and who wish you well.  Do not hurt them or scold them, and never
part from any of them in anger; after all, you simply do not
know: it might be your last act before your arrest, and that will
be how you are imprinted in their memory!
                            - The Gulag Archipelago, Solzhenitsyn
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKTAOSSA.RVW   20061214

"The Art of Software Security Assessment", Mark Dowd/John
McDonald/Justin Schuh, 2007, 0-321-44442-6, U$54.99/C$68.99
%A   Mark Dowd http://taossa.com/
%A   John McDonald
%A   Justin Schuh
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2007
%G   0-321-44442-6
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$68.99 416-447-5101 fax: 416-443-0948 800-822-6339
%O  http://www.amazon.com/exec/obidos/ASIN/0321444426/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321444426/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321444426/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   1174 p.
%T   "The Art of Software Security Assessment"

One of the important parts of a book proposal is a review of the
literature that might be related to your topic, and how your book
differs from the competition.  The preface states that, unlike other
software security texts, this one doesn't deal with security design
and defensive programming, but concentrates on how to find
vulnerabilities.  The authors obviously haven't done their homework:
there are a number of books that talk about finding weaknesses and
loopholes in software.  There are even books that specialize in
finding vulnerabilities in specific types of software, such as the
rather spotty "Database Hacker's Handbook" (cf. BKDBHKHB.RVW) and the
much superior "How to Break Web Software" by Andrews and Whittaker
(cf. BKHTBWSW.RVW).  And most of them seem to be, like this work,
directed at consultants, security professionals, developers, and
quality assurance people.

"The Art of Software Security Assessment" is somewhat distinctive in
being particularly directed to programmers.  Thus, readers from the
consulting, security, and quality assurance fields who do not have a
very strong programming background will probably find themselves at a
loss to navigate the maze of coding examples.

Part one is an introduction to software security assessment.  Chapter
one, on software vulnerability fundamentals, starts with a very
verbose definition of "vulnerability" that seems to boil down to the
idea that a vulnerability is something that someone can use against
you.  The authors also propose that problems be examined in terms of
design vulnerabilities (this is what some other software development
literature describes as flaws), implementation vulnerabilities (bugs),
and operational vulnerabilities.  (The latter seems to be related to
improper requirements specification, or simply use of a program in the
wrong situation.)  One section runs through the software development
life cycle (SDLC) noting the types of problems to be addressed in each
phase, but the material is much less useful than that in Gary McGraw's
"Software Security: Building Security In" (cf. BKSWSBSI.RVW).  A brief
overview of design review is found in chapter two, along with a larger
section of miscellaneous security technologies.  There is also a more-
than-usually helpful explanation of threat modeling using data flow
diagrams and attack trees.  Some of the material is idiosyncratic: the
description of "bait-and-switch" attacks seems to be confused with the
birthday attack against hash digests.  An unstructured collection of
content about vulnerabilities, more security technologies, and network
models makes up chapter three.  Chapter four titularly talks about the
application review process.  This medley of ideas about ways to check
code will give you some suggestions if you are starting the operation,
but there is little in the way of analysis of the recommendations.

Part two turns to software vulnerabilities.  Chapter five provides
very detailed information about the various types of buffer overflows,
although the explanations are not always clear unless you already
understand the concepts.  Important facts about the means of data
representation in the C programming language are listed in chapter
six, and the abstractions are applicable to other languages.  Chapter
seven suggests reviewing code in terms of function, such as separately
auditing variable use, procedure calls and returns, and memory
allocation.  Problems with common string-handling (and therefore text-
related) statements in C are discussed in chapter eight, along with
the significance of differential handling of not-quite-universal data
representations by various languages (this commonly results in
malformed data attacks).  Not quite in a separate part to themselves,
chapters nine through twelve provide internal details of the UNIX and
Windows privilege and permission functions, as well as process
handling.  Chapter thirteen deals with process state information,
primarily concerning various race conditions.  Unfortunately, the
outlines given are not as helpful as they could be, due to a reliance
on code examples at the expense of explanations.  The authors would do
well to emulate the style adopted by Diomidis Spinellis in "Code
Quality: The Open Source Perspective" (cf. BKCQTOSP.RVW) who also
stresses the auditing of source code, but provides extensive textual
background as well.

Part three looks at software vulnerabilities in practice, although
limited to network operations.  Chapter fourteen provides details of
many of the basic Internet protocols, noting checks that should be
made for dangerous conditions.  The discussion of firewalls, in
chapter fifteen, has oddly little material on application-level
proxies (and only tangential mention of circuit-level proxies),
concentrating on the examination of packet headers.  Miscellaneous
attacks, with no readily evident theme, are listed in chapter sixteen.
Chapter seventeen details HTTP (HyperText Transfer Protocol) and other
Web technologies, catalogues some attacks, and gives a brief set of
vulnerability checking guidelines.  Various vulnerabilities in Web
scripting and programming languages are noted in chapter eighteen.

There is a great deal of valuable information within this volume.
However, there isn't sufficient explanatory content for the work to
stand as a primer for beginners, and the lack of structure reduces the
utility as a professional reference.  The reliance on code examples is
reasonable for a work aimed at programmers, but it does limit the
audience to that group.  In addition, the practical parts of the book,
in particular, greatly emphasize Web applications.  As it stands,
thisinfosecbc@yahoogroups.com

work has much of value to Web developers and Web software testers, but
it could have had much broader application with minor improvements.

copyright Robert M. Slade, 2006   BKTAOSSA.RVW   20061214


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
A teacher is one who makes himself progressively unnecessary.
                                                  - Thomas Carruthers
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKESCMSC.RVW   20070104

"Essential Computer Security", Tony Bradley, 2006, 1-59749-114-4,
U$29.95/C$38.95
%A   Tony Bradley tony@...
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-114-4 978-1-59749-114-3
%I   Syngress Media, Inc.
%O   U$29.95/C$38.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491144/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491144/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491144/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   279 p.
%T   "Essential Computer Security"

The introduction makes the usual analogy to an appliance and the
owner's manual that would come with it, noting that a computer is much
too complex, and has too many possible applications to have that kind
of manual.

Then it goes on to say that this book is that kind of manual.

Next, it refers to the use of the Internet and seems to concentrate on
those areas of use, despite the fact that a number of other uses for
the computer had previously been mentioned.  Even when limiting the
computer operation to the one area of bare computer networking, this
activity would still be the most complex and dangerous of those in
common employment.  Therefore, the promise that this work will give
security (and, presumably, computer) neophytes the background they
would require in order to function safely in a networked (including
wireless) environment with even the most basic Internet applications
is still a very tall order.

Part one supposedly covers the bare essentials, with chapter one
addressing fundamental Windows security.  Unfortunately, while the
material does note some of the basic Windows security tools, it does
not provide the "bare essentials" level of detail that would help a
completely naive user to effect any significant increase in
protection.  The utilities and usage are effectively described, but
the settings of group privilege levels, for example, will require a
great deal more effort and understanding on the part of the home
computer owner.  Some simple techniques for choosing stronger
passwords are given in chapter two, although the additional protection
yielded by adherence to the suggestions is limited.  The content on
malware, in chapter three, is not as bad as some, but still has a
number of factual errors.  (The advice on protection does not address
the different types of protection or the actions to avoid to reduce
threat levels, but is limited to the promotion of a few commercial
products.)  Chapter four suggests that users turn on Automatic Updates
(which is probably not terribly useful if you are not running
Windows XP).

Part two is entitled "More Essential Security," which seems to need
some definition.  Is this simply more of the same as was given in part
one (in which case why is there a part two) or is this security "more
essential" than the first part (in which case why are they in this
order).  Chapter five shows some screenshots from Windows Firewall,
Zonealarm, and Snort.  Some of the advice on spam, hoaxes, and other
email problems, in chapter six, are helpful, but the recommendations
could be much more direct.  Similarly, chapter seven's overview of Web
security has some good points, but a number of areas (such as the
dangers of active content) should have much greater emphasis and
detail in order to protect those without a security background.  There
are basic security procedures for wireless networks in chapter eight.
Again, without the technical aspects (explained at a minimal and
appropriate level) the advice to use encryption or VPNs (Virtual
Private Networks) leaves the reader open to choosing either the wrong
technology, or unaware of the lack of protection for certain
applications.  Chapter nine tells users to run AdAware and Spybot.

Part three turns to testing and maintenance.  Chapter ten notes the
basic maintenance tools in Windows XP, but not some of the essential
points of these operations, such as how often to do disk
defragmentation, or the different types of defragmentation.
(Defragmenting the system files, for example, is potentially much more
useful.)  Event logs (which are going to be incomprehensible to naive
users) and restore points (which get set by all kinds of system and
application activities: users will be hard pressed to choose an
appropriate one that doesn't lose important functions) are noted in
chapter eleven.  Chapter twelve provides too little information about
alternatives to Microsoft.

(I am not upset that Tony has used some of my definitions in his
glossary: that's fine, particularly since he specifically acknowledges
the source.  I'm less than impressed with his choice of terms overall,
and with a number of the other definitions.)

I am in full sympathy with the intent to produce a book for people who
don't know (and don't even particularly *want* to know) about
security: something that the masses can read in order to obtain
suggestions on significantly more protection for their computers,
data, and operations.  This work has some points, but nothing like the
level of helpful detail and direct wording that exists in Thomas
Greene's "Computer Security for the Home and Small Office" (cf.
BKCMSCHO.RVW), or even Tony Bove's "Just Say No to Microsoft" (cf.
BKJSN2MS.RVW).

copyright Robert M. Slade, 2007   BKESCMSC.RVW   20070104


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
A computer lets you make more mistakes faster than any other
invention in human history, with the possible exception of
handguns and tequila.                              - Mitch Radcliffe
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKMCACNS.RVW   20070102

"Minoli-Cordovana's Authoritative Computer and Network Security
Dictionary", Daniel Minoli/James Cordovana, 2006, 0-471-78263-7
%A   Daniel Minoli
%A   James Cordovana
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-471-78263-7
%I   John Wiley & Sons, Inc.
%O   416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471782637/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471782637/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471782637/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   443 p.
%T   "Minoli-Cordovana's Authoritative Computer and Network Security
       Dictionary"

I find that, again, I need to declare the possibility of bias or
conflict in this review.  Not only have I published a security
dictionary of my own, but my work was also intended, as the authors
announce in their preface, to be not simply a list of terms, but a set
of practical definitions, and even a commentary on the security field.

While my dictionary addresses only security, Minoli and Cordovana have
included computer and network in the title (and later mention that
they are including financial terms).  However, the preface also makes
clear that security is the major thrust of the glossary: the first
two-thirds of the introduction basically preaches security, and the
remaining material even mentions a superior telecommunications
dictionary.

Therefore, it comes as a bit of a surprise that the first term that
has any direct connection to security comes on page four, and even
then is only the expansion of an acronym.  We are on page eight before
we find the first actual definition that has even a nominal connection
to security.  A random sampling of terms seems to indicate that less
than 20% of the entries in the work relate to security.  (That
relation holds in terms of number of entries.  The actual material
appertaining to security is proportionately less, since non-security
entries tend to be longer than those defining security phrases.)  A
surprising number of terms deal with cellular telephone technologies
and standards, and the promised financial jargon is there in
abundance.  It is, in fact, not always clear (even from the
definition) from which field a particular term comes.  (Generally the
financial jargon is so identified, but I chased down a particular
thread through a number of entries, which task was not aided by the
lack of cross-references between terms, before I finally realized that
it was not an unusual security phrase, but a minor part of a specific
cellular telephone service.)

In regard to the security terms themselves, the value is questionable.
Like Phoha's "Internet Security Dictionary" (cf. BKINSCDC.RVW) the
authors have included twelve variations on the access theme, and
"access control" is only defined in terms of the old confidentiality
model.  There are 28 variants on authentication, 13 on
vulnerabilities, and 20 on business with only three related to
security.  Five "attacks" are listed, none major.  There are seven
entries starting with "trojan": one is a definition, five are possible
types of trojans, and the last entry lists the previously defined
types.  Eight phrases start with "Computing:" and include items such
as "Computing: Molecular Computers."  Ten entries are components of
the United States' Communications Assistance for Law Enforcement Act
[CALEA], which proliferation of American legal entries also points out
the US-centric nature of the work.  There are entries for both "Domain
Name System" and "Domain Names System."  (There is, so help me, a
definition for "one-time password" and another for "One-Time
Password.")  There are two entries for grid computing, and they
contradict each other.

The "authoritative" part of the title seems to be based on the fact
that the references section lists over 500 articles, Web pages, and
books.  (It's hard to judge what they are, since the list is not in
author, title, publisher, or even date order.)  However, the entries
sometimes merely conflate material that seems to come from diverse
sources, without any attempt at analysis or explanation.  (The
definition of "stateful inspection," for example, in one phrase is
talking about session state, and before the sentence is over has
switched to content examination.)

Some of the terms are idiosyncratic or seldom used, and there are
frequently multiple terms for the same concept.  Again, it is not easy
to assess the amount of duplication that goes on, since there are
almost no cross-references between terms (and in those few instances
some of the alternate terms suggested don't actually exist in the
book).  Even where a specfic technology may have major divisions
related terms aren't noted.  (The "firewall" entry, for example,
doesn't even inventory the four major catgories, and "intrusion
detection system" lists neither the engine types nor the sensor
placement architectures.)  However, by looking up terms known to be
related the reader can readily find not only multiple terms for
similar concepts, but frequently duplicated wording as well (see
"ankle-biter" and "script-kiddie").

One of the attacks catalogued, "attack on hash-and-sign signature
schemes" is much more widely known as the birthday attack, but there
is no corresponding entry under that term.  (There is a definition for
birthday paradox.)  There is an entry for CUT (Coordinated Universal
Time) but not the more widely used UCT.  Some of the phrases used for
entries mean that people may not find what they are looking for: there
is "computer bug" but not "bug" (and no mention of implementation
versus design) as well as "computer evidence" and "computer forensics"
but not "evidence" or "forensics" (or "digital forensics").
Cryptanalytic attacks are defined under their own entries, but most
are also listed (and with more detail) under "Cryptanalysis, " [sic]
entries (and, again, there are no cross-references between them).

There is also an entry for "fork bomb" which is said to be equivalent
to "logic bomb" but is defined more as a processor exhaustion virus or
worm.  "Kleptography" makes reference to "subliminal" and the
definition of "subliminal channel" gives an example of a covert timing
channel and then states that this is *not* what a subliminal channel
is.  (Subliminal never is defined except to state that it is an
undetectable covert channel.)

Canonicalization defines only one of the many meanings (and that
possibly the least significant).  Only one aspect of "race condition"
is given.  "Digital money" (rather than the more commonly used digital
cash) has no mention of the requirements or technical challenges.
Feistel cipher never states the requirement for multiple rounds of
simple functions or the iterated subdivision of blocks.  The
definition of low-level format does not mention that it operates at
the physical, rather than logical, stratum (and it states,
incorrectly, that a low-level format destroys all data on the disk).

A number of entries are for specific (and often obscure) products and
little used processes.  There are five entries related to
cryptoviruses, occupying three pages, whereas the definitions for worm
and virus combined don't exceed three column inches.  (Within that
brief space are at least three factual errors, and there are many
important factors that are missing.  "Vaccine," which term has not
been seriously used in years and then only for a specific type of
change detection, is said only to be a program to detect and disable
viruses.)

There are a great number of extremely silly typographical errors, such
as rile instead of role, pc rather than PC, ant-keylogger versus anti-
keylogger, and competing for computing.

There are other, and better, communications dictionaries.  There are
other, though older, computer dictionaries.  There are other security
dictionaries, and, even excluding my own, I could not say that this
glossary has any advantage over them.

copyright Robert M. Slade, 2006   BKMCACNS.RVW   20070102


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Politicians are the same all over the world, we build bridges
where there are no rivers.                       - Nikita Khrushchev
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKITGOVR.RVW   20070105

"IT Governance", Peter Weill/Jeanne W. Ross, 2004, 1-59139-253-5,
U$35.00
%A   Peter Weill
%A   Jeanne W. Ross
%C   60 Harvard Way, Boston MA   02163
%D   2004
%G   1-59139-253-5
%I   Harvard Business School Press
%O   U$35.00 617-495-6700 800-545-7685 http://www.hbsp.harvard.edu
%O  http://www.amazon.com/exec/obidos/ASIN/1591392535/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1591392535/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1591392535/robsladesin03-20
%O   Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   267 p.
%T   "IT Governance"

The preface promotes IT (Information Technology) governance, but is
vague on what that might be.  It also talks about decision rights (who
gets to influence or make the decision), IT architecture (though the
book only later notes that this involves integration and the creation
of standards), and business strategies.

Chapter one does give (and repeats in different places) the definition
that IT governance specifies the decision rights and accountability
framework that will encourage proper behaviour in using IT.  Thus,
governance is not about specific decisions as such, but entails the
factors regarding who determines and contributes to decisions.  (The
OECD (Organisation for Economic Co-operation and Development) provides
that corporate governance is a structure for determining
organizational objectives and monitoring performance and progress
towards them.  The book suggests that effective governance arises from
factors involving what decisions ensure effective management, who
makes those decisions, and how the decisions are made and monitored.)
Concerning the encouragement of proper behaviour, certain management
structures will suit certain activities.  For example, the need for
innovation is not supported by a requirement that business units carry
the entire capital cost of infrastructure demanded by new
technologies, whereas assistance from the corporation as a whole (plus
the ability to charge other departments that come to use the new
tools) encourage such developments.

There is frequent confusion in regard to the term governance and what
differentiates it from management.  Chapter two notes that management
might be said to increase direct performance, while governance may,
through analysis, redirect activities to great effect.  (In a sense
this only moves the question back one level: this simply seems to be
the distinction between strategic and operational management.)  The
text also notes that five basic classes of decisions must be made in
IT: principles, architecture, infrastructure, business application
needs, and the priorizing of investment.  However, the examples given
are not particularly helpful: it is clear why one set of IT principles
and policies might support certain given business objectives, but not
why they might be chosen over others.  Principles should, according to
the book, clarify the desired operating model, IT's support for the
model, and the IT funding structure: the examples given definitely
don't illuminate financial support.  Infrastructure is defined as the
common (long-term) services supporting an activity: whether utilities,
data, or human capital.  There is little of use in the discussion of
business needs, and most of the investment material is quite generic.

Chapter three lists six governance archetypes, where decisions are
made by executive management, IT management, business unit management,
a consensus of executive and business unit management, a consensus of
IT and business unit management, and anarchy.  A grid is created
noting (from survey data) which of these archetypes has input to, or
decision power over, five IT decision areas.  There is little useful
analysis, and a few case studies.  Types of decision-making mechanisms
are catalogued and discussed in chapter four.  Three basic types are
the basis for the outline, decision-making structures (such as
committees and teams), alignment processes (policy audits), and
communications.  Chapter five is an attempt to assess what type of IT
governance works best, but the means are questionable and the
appraisal is weak.  The raw data seems to indicate that it is best to
obtain input from executive management and the business units, but
that decisions are best left to IT management.  As this runs counter
to common business practice, the text tries to suggest alternative
models.  Case studies in chapters six are presented as linking
strategy, IT governance and performance.  The links are weak, and
similar stories in chapter seven do little to explain distinctive
governance issues for government and not-for-profit organizations.
The leadership principles suggested for IT governance in chapter eight
are generic, and unrelated to the research or analysis cited in the
prior material.

Some of the figures and illustrations (such as the governance
arrangements matrix) are helpful and explanatory while others (like
the governance design framework) are of little use.

The writing in the book is not engaging.  The material presented is
true, but not compelling, and is slow to develop.  Content is repeated
in later chapters or sections, usually with expansion, but the lack of
initial development leaves the reader wondering if anything of value
is going to be said or done.  There is some merit in the deliberation
that this work makes on management, decisions, and sources of input,
but there would have been greater worth in compressing the few ideas
into fewer pages.

copyright Robert M. Slade, 2007   BKITGOVR.RVW   20070105


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Be very glad that your PC is insecure--it means that after you
buy it, you can break into it and install whatever software you
want. What YOU want, not what [content providers] want.
                                                       - John Gilmore
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKCQTOSP.RVW   20061229

"Code Quality: The Open Source Perspective", Diomidis Spinellis, 2006,
0-321-16607-8, U$54.99/C$73.99
%A   Diomidis Spinellis www.spinellis.gr/codequality dds@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-16607-8
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$73.99 416-447-5101 800-822-6339 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321166078/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321166078/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321166078/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   569 p.
%T   "Code Quality: The Open Source Perspective"

The preface points out that it is easy to test for the functional
requirements of an application: either the program performs the
function or it doesn't.  Nonfunctional requirements (including such
characteristics as reliability, portability, usability,
interoperability, adaptability, dependability, and maintainability)
are much harder to assess, and yet may be more important.  (In an
automated train system, for example, the lack of a function to change
the schedule from within a given train still allows you to use the
train within a given schedule.  Unreliability of the braking system
means the system is worse than useless.)  In addition, "Code Reading"
(the title of Spinellis' previous book) is pointed out as the most
common activity for developers, and yet is a skill seldom taught in
the programming curriculum.  The author has avoided using fictional
code for the examples in this (and the prior) work by providing sample
code from open source software projects, thus using working (but
available) source code for illustrations.

Chapter one introduces the structure of the text by mapping
characteristics from the ISO 9126 quality standard to the chapters and
sections of the book.  Inherent conflicts between different aspects of
quality are also noted.  (For example, large numbers of discrete
operations enhance the functionality of a system, but at some cost in
terms of usability.)  Reliability is examined, in chapter two, in
terms of common flaws.  Examples of such flaws are given, followed by
an explanation of the specifics of the problem.  This is followed by
samples of code that address the problem stated.  Each point and
section is accompanied by questions and discussion points that could
be used in a course teaching the issues of code quality.  (Unlike all
too many sets of questions these are rigorous and challenging.
Sometimes they may be a little bit too demanding: occasionally the
discussion would require intimate knowledge of the internals of a
specific programming language.)  The chapter ends with a summary of
the points and factors covered.

Various security vulnerabilities and coding points are illustrated in
chapter three, but, in comparison to the rest of the work, this
material is weak and disappointing.  Performance issues in relation to
time are reviewed in chapter four, and to space in five.  The
different factors of latency and bandwidth, and the trade-offs between
memory and speed are noted.  It is rather odd that Spinellis is at
pains to point out that time efficiencies negatively affect simplicity
and portability, while he goes to great lengths to provide suggestions
for space optimizations for a variety of specific architectures (which
wouldn't help portability either).

Chapter six looks at a number of factors relating to portability,
between both hardware and operating system platforms.  Maintainability
is the longest chapter (seven) in the book, and bears the closest
relation to Spinellis' previous work on "Code Reading."  There is a
special section on the characteristics of object-oriented code.
Chapter eight, on floating point arithmetic, notes the sometimes
surprising sources of inaccuracy.

In the information technology and development fields we are constantly
obsessed with production of code and the speedy release of the next
version.  We need to stop and take a good look at the quality of what
we produce: as it frequently stated, the greatest source of computer
problems is computer solutions.  In regard to security, it is
demonstrably true that the exploits and difficulties that we find are
those that would never have been created if only programmers had paid
a little more attention to the fundamental concepts they were first
taught.  I believe Spinellis' text should be required reading for all
programming courses and programs.  In addition, those involved with
analysis, maintenance, and change control should consider it a bible
to be read and re-read until the lessons are firmly implanted.

copyright Robert M. Slade, 2007   BKCQTOSP.RVW   20061229


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
A truly English protest march would see us all chanting: `What do
we want?  GRADUAL CHANGE!  When do we want it?  IN DUE COURSE!'
                                   - Kate Fox, `Watching the English'
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSCSOXC.RVW   20070112

"Security Controls for Sarbanes-Oxley Section 404 IT Compliance",
Dennis C. Brewer, 2006, 0-7645-9838-4
%A   Dennis C. Brewer
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-7645-9838-4
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764598384/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0764598384/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764598384/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   262 p.
%T   "Security Controls for Sarbanes-Oxley Section 404 IT Compliance"

The United States Sarbanes-Oxley law (frequently referred to as Sarbox
or SOX) dictates that corporate management is responsible for the
reliability of financial reports about publicly traded companies.  SOX
extends beyond the reporting for publicly traded companies, touching
on private companies doing business with other companies which do
provide public reports, and even on entities outside American
jurisdiction.  Section 404 (and also 302, in a marvelous confusion
with Web result codes) notes that the integrity of information systems
supporting these financial reports must also be managed.  Yet the
first five words in this book are "[i]dentity theft and fraudulent
access" which seems a bit of a stretch even for the latitude in
topical range SOX currently enjoys.  Publishers, rather than authors,
get to choose titles, but this work does seem to be somewhat vague in
intent.

Chapter one states that the plethora of new regulations is making life
difficult for information systems managers, and that discipline is
needed for building secure systems.  However, information technology
architecture is nominally supposed to be the topic.  There is a great
deal of verbiage and opinion about architecture, but little in the way
of definition.  What details are given seem to boil down to having a
formal process, and lots of documentation.  Too few concepts about
privacy are discussed in too many words (and some large and relatively
pointless diagrams) in chapter two.  It is highly ironic that chapter
three is entitled "Defining and Enforcing Architecture," because there
is almost no definition of architecture (and nothing enforceable) in
the text.  Again, there is lots of stress on documentation and
pictures, but little of use to systems managers.  Chapter four lists a
number of factors that should be considered in designing a system or
infrastructure.  There is a simple overview of some elementary access
control functions and technologies in chapter five.  Chapter six
suggests supporting access control functions with LDAP (Lightweight
Directory Access Protocol), although it stops short of outlining how
this might be accomplished.  Chapter seven takes a rather confused
look at a number of the complexities that are increasingly involved
with access control.  Although chapter eight is supposed to be about
protecting private information, it only reiterates material already
covered.  There is an extremely terse review of information
classification in chapter nine.  Chapter ten is a curt look at access
control in Web applications.  Federated identity is a sort of special
case of single sign-on technology, and some of the complications are
mentioned in chapter eleven.  Chapter twelve finishes off the book
with odd pondering of some factors that would need to be considered
for the implementation of a universal identity system.

There is almost nothing in regard to SOX in this work, and the only
security controls discussed are those relating to access control, and
almost no detail is provided.  Those interested in the access control
topic would be far better served by Richard E. Smith's
"Authentication" (cf. BKAUTHNT.RVW).

copyright Robert M. Slade, 2007   BKSCSOXC.RVW   20070112


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
       The only thing a network is good for is to poll the system
           in the morning to see which computers were stolen.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKEGINSC.RVW   20070112

"The Executive Guide to Information Security", Mark Egan/Tim Mather,
2005, 0-321-30451-9, U$34.99/C$49.99
%A   Mark Egan
%A   Tim Mather
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2005
%G   0-321-30451-9
%I   Addison-Wesley Publishing Co.
%O   U$34.99/C$49.99 416-447-5101 fax: 416-443-0948 bkexpress@...
%O  http://www.amazon.com/exec/obidos/ASIN/0321304519/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0321304519/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321304519/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   268 p.
%T   "The Executive Guide to Information Security"

The preface states that the book is intended as a crash course on
information security for those at the executive management level who
are not familiar with the security or technical field.  The work is
intended to present practical recommendations that can be implemented
quickly, and to explain key principles in non-technical language.

Chapter one notes that security is becoming an increasing concern to
the corporation, and that new technologies, such as the Internet and
wireless networking, are making this already difficult task ever more
complicated.  Some random aspects of security, mostly different types
of security tools, are listed in chapter two.  The recommendation
about developing a security program, in chapter three, is limited to
generic project management.  Some general advice on staffing is given
in chapter four.  Chapter five outlines a few processes necessary to a
security assessment and program.  More technologies and utilities are
catalogued in chapter six, more processes in seven.  Chapter eight
looks to the increasing complexity of information systems, new and
harsher attacks, and the expanding problems in securing systems.  Some
important, but not comprehensive, points about an information security
program are listed in chapter nine.

The book includes a "security framework," in the checklist style
favoured by so many authors of frameworks, but it has more gaps and is
limited in comparison to the other available structures (such as Fred
Cohen's "Security Governance," cf. BKSECGOV.RVW).

This is much like a collection of reasonable magazine articles, and
would be good for raising awareness and limited familiarity with the
importance of security, and some of the major issues.  It is, however,
hardly the basis for a complete understanding of the security realm,
even at the executive level.  It certainly would not serve as the
foundation for a security program.

copyright Robert M. Slade, 2007   BKEGINSC.RVW   20070112


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I base most of my fashion taste on what doesn't itch. - Gilda Radner
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKFISMAC.RVW   20070113

"FISMA Certification and Accreditation Handbook", Laura Taylor, 2007,
1-59749-116-0, U$69.95/C$90.95
%A   Laura Taylor
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-116-0 978-1-59749-116-7
%I   Syngress Media, Inc.
%O   U$69.95/C$90.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491160/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491160/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491160/robsladesin03-20
%O   Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   498 p.
%T   "FISMA Certification and Accreditation Handbook"

The United States' Federal Information Systems Management Act mandates
certain standards of information security and controls for US federal
agencies.  It extends to contractors and other sources that support
the assets of federal government departments.  However, it may have
wider application yet, since it provides a solid basis for security
management, assessment, and assurance for large corporations as well.

Chapter one looks at definitions of various terms surrounding security
and controls.  It is interesting to note that to the usual
certification (assessment) and accreditation (acceptance) phases the
feds add an audit/evaluation phase between the two.  The National
Information Assurance Certification and Accreditation Process
(NIACAP), National Institute of Standards and Technology outline,
Defense Information Technology Systems Certification and Accreditation
Process  (DITSCAP), and Director of Central Intelligence Directive 6/3
(DCID 6/3), all directions on how to follow FISMA, are briefly
compared in chapter two.  A list of job descriptions, and a brief
outline of general project management steps makes up chapter three.
Chapter four examines components of a certification and accreditation
program, mostly in terms of documentation.  Chapter five returns to
project management, with a quick look at the initiation phase.  An
even shorter mention of creating a hardware and software inventory is
in chapter six.  Chapter seven is nominally about determining the
proper level for certification (which is, again, primarily related to
the number of documents produced), but turns into an interesting and
valuable outline of information classification.  Much of chapter
eight, on self-assessment, is a reprinting of the NIST 800-26
guideline on that topic.  Security awareness and training is touched
on briefly in chapter nine.  Chapter ten, on rules of behaviour, is a
terse mix of acceptable use and incident response, but it leads rather
nicely into the longer examination of incident response in chapter
eleven.  Chapter twelve lists various types of assessment tools, such
as vulnerability scanners and code analyzers.  I found the privacy
impact assessment, in chapter thirteen, to be an interesting
perspective.  Chapter fourteen's material on business risk assessment
is concise but reasonable.  Business impact assessment, in fifteen, is
not quite as good, since it neglects the analysis of criticality of
operations.  Contingency planning is outlined well in chapter sixteen.
Chapter seventeen takes a brief look at risk assessment, but manages
to hit all the high points.  Change management is reviewed in chapter
eighteen.  An overview system security plan document is described in
chapter nineteen.  The certification package is detailed from the
perspective of those submitting it (in chapter twenty) and those
evaluating or auditing it (chapter twenty-one).  Preparation of a plan
to correct residual weaknesses is addressed in chapter twenty-two.
Chapter twenty-three looks at improving the standings and grading on a
Federal Computer Security Report Card.

There is much that is useful and helpful in this book, both in terms
of general information security management structure and process, and
in terms of references for those involved with FISMA related programs.
However, for those who are new to the operation of US government
certification and accreditation, the basic requirements, and the
relation of the ancillary programs to FISMA itself, could have been
more fully explained.

copyright Robert M. Slade, 2007   BKFISMAC.RVW   20070113


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
              Press any key to continue.  NO, NO, NOT *THAT* ONE!
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKCDDVDF.RVW   20070116

"CD and DVD Forensics", Paul Crowley, 2007, 1-59749-128-4,
U$49.95/C$64.95
%A   Paul Crowley sales@...
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%E   Dave Kleiman
%G   1-59749-128-4 978-1-59749-128-0
%I   Syngress Media, Inc.
%O   U$49.95/C$64.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491284/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491284/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491284/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   292 p.
%T   "CD and DVD Forensics"

Chapter one outlines the physical (and some logical) structure of the
various CD (Compact Disk) and DVD (Digital Versatile Disk) formats.
The material is often interesting, but I wonder how helpful it would
be, for forensic examiners, in many cases.  For example, there is
discussion of dyes and the coloured cast that they give to different
types of disks, but many of those distinctives seem to depend upon a
number of factors, and there is a wide range of possibilities.  In
addition, some of the descriptions of a more technical nature are
terse, and not well explained.  Most of chapter two relates to the
different CD disk formats, with varying levels of detail, but mostly
just brief summaries.  There are also odd inclusions of miscellaneous
(and only tenuously associated) material.  Chapter three suggests that
taking a forensic binary image of a CD is easy, but sometimes
impossible.  (And that you should do a hash digest for verification,
but sometimes they won't match.)  Collecting disks for evidence is
mentioned in chapter four, which has similarly contradictory advice in
places.  Preparation for examination, in chapter five, covers a number
of diverse issues such as cleaning of disks and types of drives to
use.  (It is not mentioned, at this point, that Appendix A has
instructions on modifying a drive for use in forensic examination.)

More than a third of the book (chapters six, seven, and eight)
contains documentation for the author's CD forensic software.

Chapter nine lists a few things you should put in a forensic report.
Less than a page of items (that have been said elsewhere in the book)
are in chapter ten.

There is an extensive glossary in the book, although many items do not
relate to CDs or DVDs.  Many of those that do relate are poorly
explained, which severely limits the helpfulness of this section.

This book is not very useful for forensics, with insufficient detail
on most topics.  It suggests areas to be concerned about, but the
potential examiner would have to go elsewhere to get the information
needed to do a good job.  However, this is an esoteric area of study,
and few other sources are available, so it may be helpful as an
initial starting point.

copyright Robert M. Slade, 2007   BKCDDVDF.RVW   20070116


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
He wrapped himself in quotations--as a beggar would enfold
himself in the purple of Emperors.                 - Rudyard Kipling
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKCRPTDV.RVW   20070114

"Cryptography for Developers", Tom St. Denis, 2007, 1-59749-104-7,
U$59.95/C$77.95
%A   Tom St. Denis
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-104-7 978-1-59749-104-4
%I   Syngress Media, Inc.
%O   U$59.95/C$77.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491047/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491047/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491047/robsladesin03-20
%O   Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   423 p.
%T   "Cryptography for Developers"

Chapter one is a poor explanation of some cryptographic concepts.
Sample code for various ASN.1 standard data types and representations
(those useful for cryptographic work) are given in chapter two.  The
review of random numbers that is provided in chapter three is
excellent, with discussion of sources of entropy, basic designs for
random and pseudorandom systems, coding samples, and pointers to
concerns and areas of weakness in related systems.  Chapter four, on
the Advanced Encryption Standard (AES), is weak on theoretical
outlines, but describes the algorithm and processes, as well as noting
programming code, optimizations, and the weaknesses (primarily against
side channel attacks) that such performance measures create.  There is
also a review of two of the five modes of block cipher operations.
Hash functions, and an extensive discussion of the birthday paradox,
are in chapter five. There are coding details of SHA-1 (Secure Hash
Algorithm), SHA-256, and SHA-512, as well as PKCS (Public Key
Cryptographic Standard) #5.  More secure message authentication codes
(MAC); CMAC (Cipher Message Authentication Code) and HMAC (it actually
isn't an acronym, despite what the book says) are in chapter six.
Implementing applications which both encrypt and provide
authentication is described in chapter seven.  Chapter eight examines
operations with very large numbers, vital for most asymmetric
cryptography (which is briefly outlined in chapter nine).

The text is written in a pseudo-intellectual manner that may sometimes
annoy the reader with its emphasis on erudite and esoteric trivia.
The attempt at folksy humour does not contribute to either an
understanding of the material or the readability of the content.  The
explanations of basic concepts are weak, and often wrong or
misleading.  There are a great many typographical errors in the text
of the manuscript, which does not inspire confidence in the accuracy
of the sample code.  There are a number of useful points in the book,
but they are buried in a lot of sloppy work.

copyright Robert M. Slade, 2007   BKCRPTDV.RVW   20070114


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
There is nothing in this world constant but inconstancy.     - Swift
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKMAGUCO.RVW   20070213

"Manager's Guide to Compliance", Anthony Tarantino, 2006,
0-471-79257-8, U$50.00/C$64.99
%A   Anthony Tarantino
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-471-79257-8
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471792578/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471792578/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471792578/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   315 p.
%T   "Manager's Guide to Compliance"

In the preface, the author states that compliance (presumably with
national laws such as Sarbanes-Oxley, or SOX, from the United States)
is important even in an international market (where foreign
regulations may not apply), primarily in terms of interest and
insurance rates.  He also compares government regulations, such as
SOX, with "principles-based" standards such as ISO 27000, seeming to
imply that the latter are not quite as significant.

(Compliance has recently become a commodity rather than a condition.
One of the indications of this change is that nobody seems to need to
define what they mean by compliance any more.  In this case, Tarantino
is apparently talking about the various regulations, standards, and
directives dealing with financial reporting.)

The first six chapters of the book deal with various sections of SOX
and implications they have for companies.  Chapter one examines off-
balance sheet items, such as contracts and agreements, and notes that
the guidance from the Security and Exchange Commission has been
confusing.  Section 404, discussed in chapter two, is the directive on
internal controls that is of such moment in information security.  The
author notes that a great many planning tools (generally spreadsheets)
are used within companies in a completely uncontrolled manner, and
frequently erroneously.  Chapter three looks at section 406 and codes
of ethics, while four notes section 409's requirements on material
changes to company status.  The implications of SOX for private
companies are purportedly reviewed in chapter five, which basically
promotes the pursuit of "good practices" and marginally mentions the
provisions for non-reporting companies doing business with companies
that must report.  The excessive cost to small business is noted in
chapter six.  Chapter seven remarks that many foreign companies are
delisting from American stock exchanges in order to avoid reporting
provisions, but does not deal with the provisions for foreign
companies that do substantial business with United States' firms that
are covered by the Act.  The United States' Office of Management and
Budget (OMB) circular A-123 on the requirements for federal agencies
to report on internal controls is outlined in chapter eight.

Chapter nine looks at the Health Insurance Portability and
Accountability Act (HIPAA).  The banking industry's Basel II
requirements for bank solvency is noted in chapter ten, along with the
American Gramm-Leach-Bliley Act (GLBA) on privacy in banking
operations.  Australian, Canadian (actually only the Ontario
Securities Commission standards 52-109 and 52-111, with no mention of
the Criteria Control Committee [CoCo] of the Canadian Insitute of
Chartered Accountants and other guidance), and the United Kingdom
(Turnbull Guidance) standards on internal controls are examined in
chapter eleven, with the 1999 Organization for Economic Cooperation
and Development (OECD) Principles (particularly section 8) and the
Corporate Governance Scoring (CGS) benchmarks briefly touched on in
chapter twelve.  Chapter thirteen outlines the International Financial
Reporting Standards (IFRS), but not in detail.

The chapters that follow rather tersely address issues that may have
implications for or from the various standards: outsourcing is in
chapter fourteen, legal penalties in fifteen, business penalties in
sixteen, differences in revenue recognition in seventeen, and data
retention standards in eighteen.

Chapter nineteen notes a few software tools for assessing compliance.
A sample checklist and flowchart (and some case studies) for auditing
internal controls are in chapter twenty.  The COSO (Committee of
Sponsoring Organizations of the Treadway Commission) three-dimensional
structure for assessing enterprise risk management and internal
controls is given in chapter twenty-one.  Chapter twenty-two reviews
the United States' National Institute for Standards and Technology
(NIST) document 800-30 on risk management and systems development life
cycles.  A rough mapping of the COBIT (Control OBjectives for
Information Technology) items to the areas of the COSO structure and
the Public Company Accounting Oversight Board (PCAOB, a provision of
SOX) components is in twenty-three.  Chapter twenty-four has a few
further objectives from the COBIT lists.  Australian Stock Exchange
(ASX) principles are given a detailed treatment in chapter twenty-
five, which is rather odd in view of the paucity of information in
other sections.

Another roundup of miscellaneous topics finishes off the book with
chapters on segregation of duties (twenty-six), some "case studies"
(twenty-seven), compliance project management (twenty-eight),
governance and ethics (twenty-nine), and cost/benefit analysis
(thirty, which gives hard data on costs: the benefits are mostly just
suggested).

While the collection of various frameworks could be helpful for those
confused by the alphabet soup of assorted standards, the lack of
detail in most areas is not.  There is very little in the way of
guidance in regard to actual compliance with the standards or
directives: basically, even with this book, you are going to have to
get diverse documents and work out the requirements for yourself.

copyright Robert M. Slade, 2007   BKMAGUCO.RVW   20070213


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The simple fact that nobody understands you is not to be taken as
                  proof that you are an artist
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSTTERM.RVW   20070213

"Simple Tools and Techniques for Enterprise Risk Management", Robert
J. Chapman, 2006, 0-470-01466-0, U$110.00/C$131.99
%A   Robert J. Chapman mail@...
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-470-01466-0
%I   John Wiley & Sons, Inc.
%O   U$110.00/C$131.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470014660/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0470014660/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470014660/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   466 p.
%T   "Simple Tools and Techniques for Enterprise Risk Management"

The preface is not terribly clear on the purpose of the book, and lays
claim to an ambitiously wide audience.  (It goes on to outline the
structure of the work, basically by repeating the table of contents.)

Part one looks at enterprise risk management in context.  (What
context is not stated: from the material is seems to be just "in
general.")  Chapter one lists various perspectives on risk and
management.  Corporate governance in the United Kingdom is reviewed in
chapter two, with positions in the United States and Canada in three.
Chapter four outlines internal controls and the relation to risk
management.  United Kingdom government documents on risk management
are described in chapter five.

Part two deals with aspects of consulting.  Chapter six views the
process from the perspective of the client: how to choose a
consultant.  The remaining chapters are advice on how to operate as a
consultant: seven tells how to conduct an interview with the client
(the material is of questionable value), eight mentions components
that should go into a proposal, and nine tells you to be a really good
consultant and delight the client.

A risk management process is described in part three.  The delineation
is supposed to be structured as six stages, but the phases seem to
come in three pairs.  Chapter ten is on analysis: chapter eleven, on
risk identification, duplicates much of the material.  Risk assessment
is covered in chapter twelve, and while chapter thirteen's "risk
evaluation" does not copy the content of twelve, it is certainly
closely related.  Risk planning, in fourteen, and risk management, in
fifteen, are both generic outlines of the risk management process
overall.  I suppose that these are the titularly promised simple tools
and techniques: while they are simple, the processes and tools would
require a great deal of work by anyone who wants to get value from
them.

Part four examines influences within the environment of the
enterprise.  Chapter sixteen looks at financial matters.  Operational
risk management, in seventeen, is the banking industry term, and
covers what is known in business and security circles simply as
general risk management.  The material is similar to that in chapters
fourteen and fifteen, but has more details.  Technological risk, as
presented in chapter eighteen, is a generic overview of information
technology.

The external influences that are discussed in part five are vaguely
related issues.  Chapters nineteen and twenty deal with macro economic
and environmental risks (on the scope of global warming), but are
rather beyond the ability of most corporations to control.  The
material on legal matters, in chapter twenty-one, is more directly
helpful.  Chapter twenty-two reviews political factors.  The
deliberation about market considerations, in twenty-three, is fairly
similar to the content of nineteen.  Social perspectives finish off
the book in twenty-four.

There is not much in this work that could not be found in cheaper and
more accessible resources.  (To give only one example, there is the
"Risk Management Guide for Information Technology Systems," document
800-30 available at no cost from the US National Institute for
Standards and Technology.)  In fact, the valuable content could have
been compressed into a magazine article, if a somewhat lengthy one.
If you wish to set up a risk management consultancy, and are
completely new to the game, there is an outline here that will get you
started.  (If you rely only on this book, those clients who hire you
will deserve everything they get ...)

copyright Robert M. Slade, 2007   BKSTTERM.RVW   20070213


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
              Si hoc legere scis nimium eruditionis habes
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKBECOSO.RVW   20070218

"Beyond COSO", Steven J. Root, 1998, 0-471-39112-3, U$65.00/C$84.99
%A   Steven J. Root
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1998
%G   0-471-39112-3
%I   John Wiley & Sons, Inc.
%O   U$65.00/C$84.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471391123/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471391123/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471391123/robsladesin03-20
%O   Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   340 p.
%T   "Beyond COSO: Internal Control to Enhance Corporate Governance"

In the preface, the author notes that it is impossible to have
complete control of any situation: problems and fraud will happen
despite all of our efforts.  Root recommends that companies should
implement internal controls as suggested by COSO (the Committee of
Sponsoring Organizations of the Treadway Commission), but must also go
beyond them, in a manner similar to the layered defence or defence in
depth models.

Chapter one contains an analysis of the limitations of the COSO
directives (and ends with a rather odd overview of the book itself).
The concepts of, and problems with, internal control is covered in
chapter two.  Chapter three presents a history of twentieth century
corporate frauds and the attempts to restrict them.  Business ethics
and values are discussed in chapter four.

Chapter five outlines the COSO framework, noting that internal
controls provide assurance of the efficiency of operations and
reliability of financial reporting--as long as there is compliance
with the laws and regulations.  (As this material is based on the 1992
version of COSO, it is interesting to note that the components of risk
management are pretty much the same, but that the dimensions of
objectives categories and unit-levels had not yet been added to the
model.)  Further concerns and limitations of COSO are expressed and
analyzed.  Additional frameworks are reviewed in chapter six.  Using a
hybrid of devices from these other frameworks, chapter seven suggests
the extension of internal controls with additional management aspects.
Chapter eight recommends that an oversight process be established for
internal controls, noting particularly legal obligations and related
factors such as standards of care, generic corporate organization and
business roles and tasks.  The oversight issues are extended in
chapter nine, looking in more detail at job roles, and also insights
that arise from chaos theory.  Chapter ten finishes off the book with
a review of the reporting of internal controls: much of this is
concerned with the wording used in such statements, and the
ineffectiveness of such reports to control incidents and fraud.

Despite its age, this book is one of the more useful guides in the
area of governance and controls in corporations.  Root was willing to
go beyond the usual promotional jobs that masquerade as management
advice.  While he does not solve the problem, he at least makes the
issues clearer, and raises interesting points in regard to solutions.

copyright Robert M. Slade, 2007   BKBECOSO.RVW   20070218


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
                   And the tubby beard went on.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKBOTNTS.RVW   20070126

"Botnets: The Killer Web App", Craig A. Schiller et al, 2007,
1-59749-135-7,U$49.95/C$64.95
%A   Craig A. Schiller craigs@...
%A   Jim Binkley
%A   David Harley david.a.harley@...
%A   Gadi Evron ge@...
%A   Tony Bradley tony@...
%A   Carsten Willems
%A   Michael Cross
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-135-7 978-1-59749-135-8
%I   Syngress Media, Inc.
%O   U$49.95/C$64.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491357/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1597491357/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491357/robsladesin03-20
%O   Audience i Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   464 p.
%T   "Botnets: The Killer Web App"

I'm starting the review of this book sitting in the Baker Room at the
Microsoft Conference Center, attending ISOI II (the second set of
Internet Security Operations and Intelligence meetings).  We have just
finished singing along with Gadi Evron (who arranged both the
community and the meetings) to an Israeli pop song from a few years
back (and from a band with the oddly appropriate name of Mashina).
Craig Schiller gave me a copy of the book last night at dinner.  (When
I asked Jim Binkley to autograph it for me he was jealous because he
hasn't yet received his own copy.)  Carsten Willems was here
yesterday, but I haven't seen him to ask him to sign it this morning.
I'll have to ask for David Harley's autograph the next time he visits
Vancouver.

All of which is by way of saying that it may be difficult to be
objective about this book, but ...

The subtitle of chapter one, "A Call to Action," is correct.  Normally
one would expect a definition of the topic or technology of botnets,
but the text is more of an exhortation to pay attention to the
problem.  The history provided is piecemeal: it does not mention the
early DDoS (Distributed Denial of Service) systems (which were
application-specific botnets) nor the spambotnet wars of 2004.  The
definition of botnets in chapter two tends to be technical, rather
than functional, and the descriptions and categories could be grouped
in a more logical and organized manner.  A variety of alternative
command and control systems are described in chapter three: the
material is well written.  The one weakness is the lack of detail on
the standard IRC (Internet Relay Chat) control system, but this should
probably have been covered more fully in the introductory chapters.
Chapter four describes some of the major botnet "client" software
families.  The content is too technical to be of use to the average
computer user, but isn't really all that detailed.  Technical
information about a variety of possible indications of botnet activity
is listed in chapter five.

The use of the Ourmon tool for detecting botnet traffic is discussed
in chapters six and seven.  (The structure of the text, and the reason
for two chapters, is not completely clear, although six is more on
installation and seven is more on use.)  Ourmon's examination of IRC
traffic is covered in chapter eight.  Chapter nine deals with more
advanced techniques.

Using the CWSandbox program for malware analysis is examined in
chapter ten.  Software tools, research communities, and other sources
of information are listed in chapter eleven.  Chapter twelve is a
(mostly) philosophical look at how we, as a society, should respond to
botnets.  There is also a brief section on protecting your own
computer so as not to become part of the problem, although assessment
and use of a number of the recommendations would be beyond the
capabilities of the average user.

Botnets are a significant problem, and one which has not been
adequately addressed in the current security literature.  Therefore,
this work is of major importance.  The book does provide a good deal
of useful information for network administrators and security
professionals, although better arrangement of the data and more
technical detail would have been even more helpful.  (The brief
attempts to address individual users are not successful.)  The text is
a decent professional reference, and hopefully it will promote further
attention and activity in this area.  (Security activity.  We don't
need any more botnet activity.)

copyright Robert M. Slade, 2007   BKBOTNTS.RVW   20070126


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
All persons ought to endeavor to follow what is right, and not
what is established.                                     - Aristotle
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKVSOPHB.RVW   20070118

"The Visible Ops Handbook", Kevin Behr/Gene Kim/George Spafford, 2006,
U$21.95, 0-9755686-1-2
%A   Kevin Behr
%A   Gene Kim genek@...
%A   George Spafford
%C   #104 - 2896 Crescent Ave, Eugene, OR   97408
%D   2006
%G   0-9755686-1-2 978-0-9755686-1-3
%I   Information Technology Process Institute
%O   U$21.95 www.itpi.org 541-485-4051 info@...
%O  http://www.amazon.com/exec/obidos/ASIN/0975568612/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0975568612/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0975568612/robsladesin03-20
%O   Audience s- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   98 p.
%T   "The Visible Ops Handbook"

The introduction notes that while many people see the need for process
improvement, and that the ITIL (Information Technology Infrastructure
Library) contains many "best practices," it is still difficult to know
where to start, and to suggest what should be done in a given
situation.  The authors then go on to outline a study two of them
conducted on the characteristics of "high performing" companies.  They
assert that the factors identified in the survey relate to three areas
of the British Standard 15000 structure provided for the ITIL
practices: release processes (planning and designing), control
processes (particularly change management), and resolution processes
(dealing with problems).  Unfortunately, the authors have often chosen
to describe their findings in terms of what does not work, rather than
what does.  There are also readability issues: the material seems
almost to be written with an intent to impress the reader, rather than
to clearly inform.  Finally, it is far from obvious that the
conclusions the book presents could assist organizations to improve.
The problems described are common to immature and "chaotic"
enterprises, and the text does not demonstrate whether the processes
identified have made the associated companies good, or whether good
companies use these processes once they have achieved maturity and
stability.

Chapter one suggests that you reduce unplanned changes to your
systems, but is a little short on advice about how to accomplish this.
There is a great deal of material on the symptoms of an organization
that lacks planning structures rather than specifics of how to
identify or deal with problems.  A suggested agenda for a change
advisory board is one useful item.  You should inventory your systems,
and then identity the ones that cause the most trouble, says chapter
two.  The third phase is to devise a system to manage the creation of
software builds, and provide the company with standard software
releases.  Chapter four outlines a number of useful metrics for
determining how well your organization is performing--at controlling
the release of new and updated software that you write.

If you create software, and particularly if you develop your own
software and systems in-house, then it is a good idea to manage the
process and ensure that changes are made properly.  Therefore, the
advice to do so is good.  However, this booklet doesn't go much beyond
that, and would be of rather limited use to most companies, even those
that do a lot of their own development.

copyright Robert M. Slade, 2007   BKVSOPHB.RVW   20070118


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Real joy comes not from ease or riches or from the praise of
others, but from doing something worthwhile.
                                     - Wilfred Grenfell (1865 - 1940)
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKINFINS.RVW   20070119

"Information Insecurity", Eduardo Gelbstein/Ahmad Kamal, 2002,
92-1-104530-4
%A   Eduardo Gelbstein
%A   Ahmad Kamal
%C   One United Nations Plaza, New York, NY   10017
%D   2002
%G   92-1-104530-4
%I   United Nations Information & Communications Technology Task Force
%O   U$28.00/C$32.63 www.unicttaskforce.org
%O  http://www.amazon.com/exec/obidos/ASIN/9211045304/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/9211045304/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/9211045304/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   153 p.
%T   "Information Insecurity"

The introduction makes a number of statements about information
security, and the growing dangers to it.  All of us could probably
agree with the assertions, but the points raised are neither supported
nor developed.

Chapter one restates that there is danger to information systems,
albeit with a bit more detail and some mention of basic information
security concepts and terms.  The material is simplistic, and not
particularly accurate when it gets into specifics.  (There is no
evident structure to the content, and this doesn't make it any easier
to assess the amount of knowledge that is provided.)  A similarly
disorganized amalgamation of security tools and practices is described
in chapter two.  Even though it is entitled "Solutions," and the
individual pieces of advice are not incorrect, the random arrangement
of the text as well as the vague and generic nature of the information
provided would not help solve problems for most individuals or
companies.  A number of standards and laws are listed in chapter
three.  "Recommendations," in chapter four, are limited to the advice
that there is a problem and somebody should take action.

It is extremely hard to think of any audience that would benefit from
reading this book.

copyright Robert M. Slade, 2007   BKINFINS.RVW   20070119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The gambling known as business looks with austere disfavor upon
the business known as gambling.                     - Ambrose Bierce
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKMSITIL.RVW   20070119

"Measuring ITIL", Randy A. Steinberg, 2006, 1-4120-9392-9
%A   Randy A. Steinberg RandyASteinberg@...
%C   Suite 6E, 2333 Government Street, Victoria, BC   V8T 4P4
%D   2006
%G   1-4120-9392-9
%I   Trafford Publishing
%O   888-232-4444 FAX 250-383-6804 sales@...
%O  http://www.amazon.com/exec/obidos/ASIN/1412093929/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1412093929/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1412093929/robsladesin03-20
%O   Audience s- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   154 p.
%T   "Measuring ITIL"

Chapter one is supposed to be an introduction to the book.
Unfortunately, it jumps right in without bothering to define some
basics (such as what ITSM is, and why we should want to measure it).
(It probably stands for Information Technology Services Management,
since ITIL, the Information Technology Infrastructure Library is about
that topic.)  Purportedly an overview of metrics, chapter two is
actually an exhortation to measure things.  Aspects of a metrics model
framework are listed in chapter three, although the details don't do
much to explain any overall structure or operation.

Chapter four is a set of tables of incident response metrics.
Unfortunately, the material is cyclically self-referential, without
ever explaining real details.  Similar non-definitions are given for
various management areas in subsequent chapters: problems in five,
change in six, release in seven, configuration in eight, service desk
(no management) in nine, service levels in ten, availability in
eleven, capacity in twelve, service continuity in thirteen, IT
financials in fourteen, and IT workforce in fifteen.  (If you are well
familiar with ITIL you will recognize the structure, but the book does
not explain it.)

Chapter sixteen suggests that if you have very few sources of metrics,
then you should collect and display a few metrics.  Chapter seventeen
describes the DICE (Duration, Integrity, Commitment, Effort) model
that attempts to predict the likelihood of success of an ITIL (the
first time the Information Technology Infrastructure Library is
materially mentioned in the book, despite the title) implementation.
Unfortunately, the text stops short of really explaining how to use
the model, or calculate the parameters you are to enter.  There is a
tiny bit more information on the ITSM Metrics Model Tool, in chapter
eighteen, but unfortunately the detail is on the output side, rather
than input.  Chapter nineteen outlines a full program (including an
enormous staff) for using the metrics, but, since everything is based
on measurements that have not been fully explained, it is hard to say
how useful all of this is.

If you are fully versed in ITIL, this book might help you decide how
to measure your operations.  Mind you, if you are completely familiar
with ITIL, and are using it, you probably already have your own
metrics in hand.

copyright Robert M. Slade, 2007   BKMSITIL.RVW   20070119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The goal is a society in which the basic social unit is you and
your television set. If the kid next door is hungry, it's not
your problem. If the retired couple next door invested their
assets badly and are now starving, that's not your problem
either.              - Noam Chomsky (1928- ), The Common Good (1998)
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKINSCAB.RVW   20070119

"Information Security Awareness Basics", Fred Cohen, 2006,
1-878109-39-1
%A   Fred Cohen
%C   572 Leona Dr, Livermore, CA   94550
%D   2006
%G   1-878109-39-1
%I   Fred Cohen and Associates
%O   U$24.00/C$27.97 925-454-0171 all.net
%O  http://www.amazon.com/exec/obidos/ASIN/1878109391/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/1878109391/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109391/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   46 p.
%T   "Information Security Awareness Basics"

This booklet is written as an employee security awareness manual.  It
can be purchased and used as such (by a small business), or customized
and augmented by other materials (for a large enterprise).  (If you
intend using the primer "as is" for your employee manual, note that
you should read it first, and ensure that you do, in fact, provide the
services, and have the policies, that Cohen recommends.  This should
not be onerous, as the procedures outlined are quite reasonable, for
any but the smallest business.)

The content is well-written, readable and clear, and covers a number
of basic points that are often neglected (such as the importance of
reading and understanding the contract with the employer, and, by
extension, the employer's policies.)  (The topics are approximately
one page in length, or less, and are all, with one exception, on
separate pages.)  A significant portion of the early material is
concerned with personal physical (rather than information) security.
This is a very good arrangement, not only because it demonstrates
concern for the well-being of the employee, but also since it starts
with the more familiar (less esoteric) matters, and is a good lead-in
to the concepts of information security.

Well thought out, well written, and clear.  This is a useful item for
those who do not have the time to create their own security awareness
materials, and a model for those who do.

copyright Robert M. Slade, 2007   BKINSCAB.RVW   20070119


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
       This message is in beta test, but should ship any day now.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKSOXDUM.RVW   20070125

"Sarbanes-Oxley for Dummies", Jill Gilbert Welytok, 2006,
0-471-76846-4, U$21.99/C$25.99
%A   Jill Gilbert Welytok jgilbert@... www.abtechlaw.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-471-76846-4
%I   John Wiley & Sons, Inc.
%O   U$21.99/C$25.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471768464/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471768464/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471768464/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   364 p.
%T   "Sarbanes-Oxley for Dummies"

The introduction states that this is an overview treatment of the
Sarbanes-Oxley (SOX) law and related regulations, avoiding in-depth
discussions but providing enough background for the reader to
understand key concepts, structure basic compliance, and predict major
future trends in the directives.

Part one gives a historical review of the rationale behind SOX.
Chapter one looks at loopholes in reporting before SOX, the political
climate behind the swift passage of SOX, and the basic requirements
under SOX.  The financial scandals that gave impetus to the law, and a
review of the new restrictions from a slightly different perspective,
are in chapter two.  Various (United States) securities laws, and the
specific SOX provisions, are listed in chapter three.  Chapter four
gives a very brief outline of financial statements (without really
explaining how SOX will assist with reporting).

Part two addresses compliance with the new standards.  Chapter five
notes that the accounting profession now has specific criteria to meet
in regard to auditing, rather than the previous self-regulation.  The
Public Company Accounting Oversight Board (PCAOB) is described in
chapter six.  Rules for audit committees are listed in chapter seven.
Chapter eight notes regulations for ensuring the independence of
boards of directors.  Specific edicts for chief executive and
financial officers are noted in chapter nine.  Chapter ten mentions
other new dictates for corporate management.

Particulars of audits according to section 404 are outlined in part
three.  Chapter eleven looks at the meaning of "internal controls."
Roles and responsibilities for components of an audit are covered in
chapter twelve.  Specific problems and items that will assist in the
audit process are in chapter thirteen.

Part four notes software tools, supposedly to help you either with
security program planning or compliance with SOX.  Chapter fourteen
lists types of software and the tasks that can be assisted by
software.  The tasks are not correlated with the types of software,
and there are actually only a couple of programs mentioned.  Preparing
to use one specific program is described in chapter fifteen.

Part five looks to the future.  Chapter sixteen looks at some of the
court cases in areas related to SOX.  Chapter seventeen notes the
extension of SOX to activities that might be considered to be outside
its jurisdiction (including foreign companies).

Part six is the obligatory "Part of Tens," including ten ways to not
get sued, an equivalent number of tips for an audit committee, smart
management moves, things an auditor can't change after the audit, and
references.

There is surprisingly little explanation about what SOX actually is
and requires.  There is some background about the development of SOX,
but the key concepts, basic compliance, and prediction of future
trends is definitely missing.  Since legal compliance issues are
likely of great significance to corporations, it is unlikely that this
book would be of much help to anyone.

copyright Robert M. Slade, 2007   BKSOXDUM.RVW   20070125


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
The presence of those seeking the truth is infinitely to be
preferred to those who think they've found it.
                              - `Monstrous Regiment,' Terry Pratchett
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKINSEAR.RVW   20070125

"Information Security Architecture", Jan Killmeyer, 2006,
0-8493-1549-2
%A   Jan Killmeyer
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2006
%G   0-8493-1549-2
%I   Auerbach Publications
%O   +1-800-950-1216 auerbach@... orders@...
%O  http://www.amazon.com/exec/obidos/ASIN/0849315492/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0849315492/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0849315492/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   393 p.
%T   "Information Security Architecture"

The preface to the book seems to indicate an intent to provide a
taxonomy of security activities under eight (mostly management
related) "components": infrastructure, policy, risk assessment,
training, compliance, monitoring, incident response, and business
continuity.  (Those who follow the development of security frameworks
will notice a strong correlation to the COSO [Committee of Sponsoring
Organizations of the Treadway Commission] structure.)  The "Executive
Summary" basically does the same thing, at greater length
(concentrating on the threats to information), and seems to have been
lifted from the first edition of the book with incomplete
modifications: the illustrations refer to the original five
components, and there is a reference to a now non-existent chapter
twelve.

Chapter one, on information security architecture, defines it as the
mechanism for ensuring that all users know what they are responsible
for in terms of protecting resources, which would seem to put it
squarely in the "design" camp.  (This perspective would seem to be
consistent with the statement that an architecture has "components.")
The remainder of the material reinforces the idea of a managed plan
for implementing security.  Infrastructure, in chapter two, is
addressed primarily in terms of the roles of people within the
enterprise, and a repeat (from chapter one) of several pages of text
(and an illustration) outlining the security plan.  The elements of a
security policy, and pointers to sample constituents listed in the
appendices, are given in chapter three.  Aspects of risk analysis is
mixed with information on random security controls in chapter four.
Chapter five says the usual things about security awareness and
training programs.  Compliance, in chapter six, is primarily concerned
with audits.  Chapter seven lists some of the problems you may
encounter in creating a security program, many of which are related to
a lack of management support.  A high-level overview of the structures
and reports of incident response makes up chapter eight.  A final
admonition to manage security is given in chapter nine.

The book doesn't really talk about information security architecture.
There is a general outline of the basic aspects of a security program,
although the details have numerous gaps.  There are a great many such
general security overview texts, and therefore this volume does not
address either a specific audience, nor does it contribute anything
meaningful to the security literature.

copyright Robert M. Slade, 2007   BKINSEAR.RVW   20070125


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
Charm is a way of getting the answer yes without having asked any
clear question.                                       - Albert Camus
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKBESICY.RVW   20070322

"Between Silk and Cyanide", Leo Marks, 1998, 0-684-86422-3,
U$27.50/C$41.00
%A   Leo Marks
%C   1230 Avenue of the Americas, New York NY   10020
%D   1998
%G   0-684-86422-3
%I   Simon & Schuster
%O   U$27.50/C$41.00 212-373-8500
%O  http://www.amazon.com/exec/obidos/ASIN/0684864223/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0684864223/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0684864223/robsladesin03-20
%O   Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation)
%P   614 p.
%T   "Between Silk and Cyanide: A Codemaker's War"

In one chapter, Marks recounts a training session, on the encryption
of messages, with an agent who is intelligent and creative, but
somewhat careless.  Knowing that she has been raised to believe that
lying is the worst sin, he points out that her mistakes force the code
to lie to those receiving her messages.  It's an intriguing point of
view.

Those who know about cryptography may find the book rather
frustrating.  There is just enough material to hint at the
cryptological techniques being used, but at the point you think you
are going to get down to details the text takes off on another tack,
or delivers a weak analogy.  Yes, those familiar with the field will
recognize substitution, permutation, one-time pads, traffic padding,
and attempts at misdirection, but you'd think the secrecy requirements
would have been lifted off some of this stuff after all this time.

Marks writes well, though often (ironically, given the ostensible
subject matter) cryptically.  While his stories are fascinating, his
reticence on some issues weakens a number of them.  In the end, this
volume is about people, not cryptography.  Marks writes of bravery,
foolishness, empire-building, jealousy, and a great many human
foibles.  It is understandable that he avoids thinking or writing of
events regarding some of those for whom he had the deepest feelings:
that's a foible, too.  Although all of the personal content is
affecting, Marks, has, perhaps, done a disservice to those closest to
him by either passing over them too quickly, or by foreshadowing
tragedies far too long in advance.

Read as a story about people and their reactions to new situations and
technologies, the book is both entertaining and informing.  And,
ultimately, security is all about people, anyway.

copyright Robert M. Slade, 2007   BKBESICY.RVW   20070322


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
You realize, of course, that these new facts do not
coincide with my preconceived ideas.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKBYNSOX.RVW   20070228

"Beyond Sarbanes-Oxley Compliance", Anne M. Marchetti, 2005,
0-471-72626-5, U$49.95/C$64.99/UK#27.95
%A   Anne M. Marchetti
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2005
%G   0-471-72626-5
%I   John Wiley & Sons, Inc.
%O   U$49.95/C$64.99/UK#27.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471726265/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471726265/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471726265/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   271 p.
%T   "Beyond Sarbanes-Oxley Compliance"

Part one deals with the basic level of compliance, ensuring that a
company is not in contravention of the Sarbanes-Oxley (SOX) act.
Chapter one is on overview of the US law.  More detail on sections
302, 404, and 409 of the act, and the implications thereof, is
provided in chapter two.  Factors affecting the initial, rudimentary
level of compliance are discussed in chapter three, but the material
is somewhat disorganized.  Chapter four defines a number of terms
relating to control deficiencies, and outlines a six-step "path" to
compliance (which is based upon general project management stages).

Part two moves from the fundamental compliance level to a process
involving ongoing maintenance and monitoring.  Chapter five examines
the success (and failure) factors for change management, and this time
promotes a five-step project cycle, which is extended and detailed in
chapter six.  The audit function is reviewed, in chapter seven, mostly
regarding independence between auditors and the audited.  Other
matters relating to ensuring compliance on an ongoing basis are noted
in chapter eight.

Part three suggests that companies move beyond regarding mere
requirements for compliance to process improvement, the topic of
chapter nine.  The remaining chapters, although seemingly included in
this part of the book have little to do with process improvement as
such: ten explores the International Financial Reporting Standard
(IFRS), eleven notes SOX requirements for companies not under the
jurisdiction of the United States, and twelve looks at initiatives
from the financial services industry, such as Basel II.

In the earlier "Beyond COSO" (cf. BKBECOSO.RVW) Steven Root
recommended that companies should implement internal controls as
suggested by the Committee of Sponsoring Organizations of the Treadway
Commission, but must also go beyond them, in a manner similar to the
layered defence or defence in depth models.  Marchetti's similar title
would imply a comparable intent.  Unfortunately, "Beyond Sarbanes-
Oxley Compliance" is incomplete in its explanation of SOX, and does
not provide much assistance in achieving minimal compliance, let alone
moving beyond that level.  For those with a rudimentary understanding
of internal controls, this book does provide some additional
background and a set of factors to consider, but not much more.

copyright Robert M. Slade, 2007   BKBYNSOX.RVW   20070228


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
I don't use drugs; my dreams are frightening enough - Escher

Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

BKRTKTDM.RVW   20070228

"Rootkits for Dummies", Larry Stevenson/Nancy Altholz, 2007,
978-0-471-91710-6, U$29.99/C$35.99/UK#19.99
%A   Larry Stevenson @castlecops.com
%A   Nancy Altholz @castlecops.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2007
%G   978-0-471-91710-6
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$35.99/UK#19.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471917109/robsladesinterne
   http://www.amazon.co.uk/exec/obidos/ASIN/0471917109/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471917109/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   380 p.
%T   "Rootkits for Dummies"

Part one outlines the basics of rootkits.  Chapter one defines malware
and rootkits, although many of the definitions are rather careless.
For example, rootkits are defined, properly, in terms of software for
hiding processes or other evidence of intrusions on the computer, but
various passages in the chapter imply that rootkits are viruses or
other similar malware, or that rootkits are simply any stealthy
program.  Resistance, recognition, and recovery are given, in chapter
two, as the keys to having a resilient system.  These themes are
expanded in parts two to four, but the content provided in chapter two
is not terribly helpful.

Part two turns to resistance.  Chapter three reviews intermediate
level computer maintenance: many of the suggestions are beyond the
capabilities of the average user.  Similarly, chapter four's
recommendations are good, but much of the advice would be difficult
for a non-specialist to perform, and the explanations for items such
as limited user accounts would not be sufficient to get them through
the full process.  It is always good to suggest users keep up to date
with patches, but chapter five does not provide any of the
alternatives to the Windows Update site.  Miscellaneous measures are
listed in a disorganized fashion in chapter six.  Some of the material
duplicates that given in chapter four, but there still isn't enough
detail for the instructions to be useful for most readers.

Recognition makes up part three.  Chapter seven looks at various
interesting means rootkits use to hide, but there is also a lot of
uninformative verbiage taking up space, here.  Detection, in chapter
eight, is mostly restricted to advanced activities and limited
information is provided to the reader.  Chapter nine describes both
general system tools and also software specific to rootkit detection.

Although part four is supposed to be about recovery, the material is
scant.  An assortment of utilities, some for recovery, but a number
for forensics, are described in chapter ten.  Eleven covers the
process of erasing the hard disk and re-installing Windows.

Part five lists ten rootkits, in chapter twelve, and twelve security
sites in thirteen.

There is no indication as to the intended audience for this book.  The
material is, in most sections, far beyond the capabilities of the
average computer user, and a great deal is even beyond the normal
level of the average help desk worker or system administrator.  At the
same time, the specialist or researcher will find much of the text to
be useless or superfluous, and even some of the professional class
content is poorly explained for those who are not thoroughly familiar
with certain utilities.  The work will have some value, particularly
for those in rarified fields of research, but the lack of consistency
will limit that value.

copyright Robert M. Slade, 2007   BKRTKTDM.RVW   20070228


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...     slade@...     rslade@...
You can't wait for inspiration. You have to go after it with a
club.                                                  - Jack London
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm