"Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3,
%A Kevin Day
%C One Lake St., Upper Saddle River, NJ 07458
%I Prentice Hall
%O U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131
%P 309 p.
%T "Inside the Security Mind: Making the Tough Decisions"
I am quite sympathetic to the idea that the realization of a security
mindset or attitude (I frequently refer to it as professional
paranoia) is more important to attaining security than isolated
technical skills. I'm sorry to say that this work is not likely to
help you find, attain, or assess that protection perspective.
Right from the beginning of the book, readers will find a flavour of
eastern philosophy, and even mysticism, to it. There are four
virtues, an eight-fold path, and even repeated injunctions for the
reader to keep an "open mind"--a phrase which those who have conversed
with devotees of the Buddhist faith will find rather familiar.
Unfortunately, chapter one seems to demonstrate that Day is bringing
us only a newage vagueness in his description of the security mind.
We are to rid ourselves of negative thoughts, and follow fundamental
virtues, which we haven't been given yet. Computer security is only a
decade old, we are told in chapter two, and constantly changing, and
expensive, and there are few practitioners, and lots of bad guys out
there, and we are paralyzed by fear--but we have nothing to fear but
fear itself! Chapter three finally lists the four virtues for us:
security is ongoing, a group effort, requires a generic approach, and
is dependent upon education. I don't disagree with any of these
points (other than the philological debate about whether they should
be called virtues), and neither would any other security professional.
However, they don't really provide us with much in the way of help.
Eight security "rules," in chapter four, list principles such as
"least privilege," which are also commonly known in security work.
Chapter five is supposed to tell us how to develop a security mind,
but actually seems to be an exercise in wishful thinking. If the
world were neatly divided into safe and unsafe zones, and if our
systems all worked perfectly and in correspondence with our users'
known requirements, and if everyone that we trusted were completely
competent in regard to their own defence, security would be much
easier. Decision-making is likewise simplistically seen to be
supported by the virtues and rules, in chapter six. There is a
superficial overview of blackhats and vulnerabilities in chapter
seven. Chapter eight has a standard review of risk analysis. Vague
ideas on hiring security, and some thoughts on outsourcing, are in
chapter nine. The author gives his opinion on some security tools in
chapter ten. Chapter eleven is another attempt to prove that the
rules can be used. We are given a final adjuration to change our
attitudes in chapter twelve.
Basically, this book is yet another attempt to write a general
security guide, without first ensuring that the material is
structured, sound, complete, or useful.
copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321
rslade@... rslade@... slade@... p1@...
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs: [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to firstname.lastname@example.org