Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Inside Internet Security", Jeff Crume

Expand Messages
  • Rob Slade, doting grandpa of Ryan and Tr
    BKININSC.RVW 20010511 Inside Internet Security , Jeff Crume, 2000, 0-201-67516-1, U$29.95 %A Jeff Crume crume@us.ibm.com %C P.O. Box 520, 26 Prince
    Message 1 of 1 , Jun 11, 2001
    • 0 Attachment
      BKININSC.RVW 20010511

      "Inside Internet Security", Jeff Crume, 2000, 0-201-67516-1, U$29.95
      %A Jeff Crume crume@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2000
      %G 0-201-67516-1
      %I Addison-Wesley Publishing Co.
      %O U$29.95 416-447-5101 fax: 416-443-0948 bkexpress@...
      %P 270 p.
      %T "Inside Internet Security: What Hackers Don't Want You to Know"

      Recently I started teaching a new class. During the introductions,
      one student admitted that he wanted to learn how to break into systems
      since that would teach him how to protect them, right? In the first
      place, I don't believe him. In the second, his thesis is seriously
      flawed. Yet that is the type of argument Crume seems to be making in
      the introduction to this book: learning how to hack will teach you how
      to protect yourself. It doesn't work that way. Knowing how to
      exploit a buffer overflow in Microsoft's Internet Information Server
      doesn't teach you anything about the type of systems development
      practices that will keep you from leaving buffer overflow loopholes in
      your own programs.

      Crume does, however, present some good, if basic, security advice.
      After a bit of a rocky start.

      Chapter one says that there are weaknesses in the net. Big surprise.
      Chapter two says that the net is possibly dangerous. About the only
      reliable information you'll get out of chapter three is that hackers
      differ.

      By chapter four, though, the book has settled down. Here we get a
      decent introduction to risk analysis, stressing that some risks are
      not worth protecting against. There is some solid advice about
      security policies in chapter five, most notably, have one.

      Chapter seven lists some good general points to keep in mind, which
      then become the titles of the remaining chapters. There is a clear,
      if not terribly detailed, explanation of what firewalls are and do, in
      chapter eight. We are warned to be wary of insiders in chapter nine,
      which also points out that not all "insiders" are actually inside.
      Chapter ten outlines some of the aspects of social engineering. A
      detailed discussion of passwords, in chapter eleven, even covers
      tokens and biometrics. Network and packet sniffing is explained in
      chapter twelve. Chapter thirteen is weak. Ironically, it is the
      first chapter to touch closely on the items Crume implied in the
      introduction, and looks at software vulnerabilities. But these
      loopholes are very difficult to deal with, and the material here isn't
      much help. Chapter fourteen is helpful in pointing out that factory
      set defaults can be dangerous. The title of chapter fifteen ("it
      takes a thief to catch a thief") seems to be suggesting that you hire
      hackers. Actually, it merely suggests that you learn the
      vulnerabilities that they know. However, it isn't very useful in
      pointing the reader in the right direction. Chapter sixteen offers a
      grab bag of anecdotal reports of recently exploited vulnerabilities.

      And, of course, I have to pay special attention to chapter seventeen,
      on viruses. Well, Crume makes mistakes, but he doesn't make any
      really important ones. The background is reasonable, and the advice
      is sound.

      Chapter nineteen provides a good overview of cryptology, but some of
      the more important points get buried in the stories. (There is more
      material provided in appendix A.) Backdoors and end runs are
      discussed in chapter twenty. Chapter twenty one points out that even
      "harmless" defacement of a Website can have serious consequences,
      while twenty two says the information is valuable and a good defence.
      Chapter twenty three finishes off with a look at some emerging
      technologies that are bringing forward new security concerns.

      One note that I should make: the text doesn't have all that much to
      say about the Internet, as such. Most of the points deal with
      security on a general basis. Which doesn't necessarily make it any
      less useful.

      This book can be read completely in a day. And, for most managers and
      businesspeople it would be a day very well spent. While some chapters
      are weak, roughly three quarters of the material is both reasonable
      and technically sound, a match that happens less often than one might
      wish. This is definitely a volume to get to pass around among all
      employees--and to provide to all newly hired managers.

      copyright Robert M. Slade, 2001 BKININSC.RVW 20010511

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      A witty saying proves nothing. - Voltaire
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.