Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Defending Your Digital Assets", Randall K. Nichols/Dani

Expand Messages
  • Rob Slade, doting grandpa of Ryan and Tr
    BKDYDAAH.RVW 20000515 Defending Your Digital Assets , Randall K. Nichols/Daniel J. Ryan/Julie J. C. H. Ryan, 2000, 0-07-212285-4, U$49.99 %A Randall K.
    Message 1 of 1 , Jun 26, 2000
    • 0 Attachment
      BKDYDAAH.RVW 20000515

      "Defending Your Digital Assets", Randall K. Nichols/Daniel J.
      Ryan/Julie J. C. H. Ryan, 2000, 0-07-212285-4, U$49.99
      %A Randall K. Nichols rnichols@...
      %A Daniel J. Ryan danryan@...
      %A Julie J. C. H. Ryan julieryan@...
      %C 300 Water Street, Whitby, Ontario L1N 9B6
      %D 2000
      %G 0-07-212285-4
      %I McGraw-Hill Ryerson/Osborne
      %O U$49.99 905-430-5000 800-565-5758 905-430-5134 fax: 905-430-5020
      %P 858 p.
      %T "Defending Your Digital Assets: Against Hackers, Crackers, Spies,
      and Thieves"

      In the preface, the authors decide to define their own terms their own
      way. For example, hackers break into computers for the thrill of it,
      while crackers break in for profit. They also state that there is a
      tension between securing a network and managing it, ignoring the fact
      that most people see security as a management issue. Later, in the
      first chapter, the "authors apologize for being a little informal" in
      what they say. Aside from the lack of any reason given for the
      necessity of this "informality" it certainly appears to be much more
      appropriate to call it disorganization and a lack of discipline. The
      book is supposed to be aimed at executives and managers, rather than
      security specialists, or is intended to be used as the text for a
      graduate information security course. Again, leaving aside the
      inherent contradiction in that assertion, the material in this work is
      not just careless, but so seriously flawed that any manager relying on
      it (let alone the poor grad student) is going to be seriously misled
      in places.

      Part one purports to be an overall introduction. Chapter one starts
      with digital espionage and throws around lots of scary numbers and
      names. Unfortunately, the text lacks any analysis of the reports
      being cited, most of which seem to be opinion surveys, and some of
      which contradict each other. (Attacks are said to number in the
      hundreds per day in one account, while another [from the NSA] asserts
      250 per year, and yet a third [from the FCIRC] states 244--for the
      same year.) The text is also extremely confused and appears to be
      almost deliberately unstructured: one paragraph starts talking about
      fraud and then covers the Morris Internet Worm, the only link being
      that Morris was prosecuted under the Computer Fraud and Abuse Act.
      Explanations are careless: the venerable Crack security tool is said
      to "attack" computers. The material is very disorganized, and if you
      can trace a common thread through a section of the text you will find
      that most of the content is peripheral to it. Chapter two is supposed
      to cover information security (infosec, in the book's jargon), but
      instead continues to regale us with stories of digital espionage (DE)
      and infowar. (Except for a seemingly pointless digression into
      Hurricane Andrew.)

      Part two is to present us with infosec concepts. Chapter three,
      somewhat surprisingly, does give us a decent "Common Body of
      Knowledge" overview and threat list, along with some risk management
      and infosec architecture. A serviceable discussion of policy, with
      some time out for US fed bashing, is in chapter four. Privacy, in
      chapter five, is not covered well: we have a flatly inflammatory
      definition of a "cookie," and ten pages of unsupported tables and odd
      graphs which eventually reveal that some people want privacy and
      others want to collect data. (Big surprise.) Chapter six talks about
      security system certification and verification.

      Part four touches on practical infosec. Chapter seven gives a decent
      outline of cryptography, with a good comparison of strength, but a
      huge "analysis" of key recovery and escrow systems shows only that
      some like it and some don't. Access control systems are covered in
      chapter eight. Digital signatures and certificate authorities are
      reviewed in chapter nine: the web of trust model is mentioned, but not
      analyzed or used in the material. Chapter ten is a confused
      discussion of permission management, concentrating primarily on
      e-commerce and the Web. Various factors in Virtual Private Networks
      (VPN) are listed in chapter eleven. Some biometric methods are
      described in chapter twelve.

      Part four does not really deal with business continuity and recovery,
      but emphasizes "event management." Chapter thirteen looks at general
      security factors before the attack. "During and after the attack," in
      chapter fourteen, examines some audit and detection and some Web
      security.

      Continuing with the militaristic imagery, part five wants to give us
      an "order of battle" for infowar. Chapter fifteen's "big picture" is
      more on risk assessment. The definition of infowar, in chapter
      sixteen, is vague, generic, and limited in scope. Malicious code is
      described as a type of virus in chapter seventeen, rather than virus
      being a subset of the class of malicious software. More infowar
      details, and a general model of military intelligence, bog down in a
      weird architecture model. "Methods of Employment," in chapter
      eighteen, is probably more useful if you want to attack somebody.
      Public key infrastructure, in chapter nineteen, reprises chapter nine.
      Chapter twenty's look at cryptography and politics concentrates on US
      regulations and cases, with little philosophical discussion of the
      issues.

      The appendices that close the book are of limited use. For example,
      the "annotated bibliography" is not annotated, and contains a number
      of general press articles and news stories.

      While there is some useful material in this text, the entire work
      requires a wholesale reordering to be of any value. A solid
      restructuring along topical lines would allow a great deal of
      extraneous verbiage to be discarded. A disciplined adherence to the
      topic at hand would make the valuable content much more accessible to
      the target audience. As it is, the book joins a long line of similar,
      and similarly disorganized, "guides" that do not really help the non-
      specialist.

      copyright Robert M. Slade, 2000 BKDYDAAH.RVW 20000515

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      Internet, the information network you can't outgrow - Ido Dubrawsky
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.