REVIEW: "Inside Internet Security", Jeff Crume
- BKININSC.RVW 20010511
"Inside Internet Security", Jeff Crume, 2000, 0-201-67516-1, U$29.95
%A Jeff Crume crume@...
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$29.95 416-447-5101 fax: 416-443-0948 bkexpress@...
%P 270 p.
%T "Inside Internet Security: What Hackers Don't Want You to Know"
Recently I started teaching a new class. During the introductions,
one student admitted that he wanted to learn how to break into systems
since that would teach him how to protect them, right? In the first
place, I don't believe him. In the second, his thesis is seriously
flawed. Yet that is the type of argument Crume seems to be making in
the introduction to this book: learning how to hack will teach you how
to protect yourself. It doesn't work that way. Knowing how to
exploit a buffer overflow in Microsoft's Internet Information Server
doesn't teach you anything about the type of systems development
practices that will keep you from leaving buffer overflow loopholes in
your own programs.
Crume does, however, present some good, if basic, security advice.
After a bit of a rocky start.
Chapter one says that there are weaknesses in the net. Big surprise.
Chapter two says that the net is possibly dangerous. About the only
reliable information you'll get out of chapter three is that hackers
By chapter four, though, the book has settled down. Here we get a
decent introduction to risk analysis, stressing that some risks are
not worth protecting against. There is some solid advice about
security policies in chapter five, most notably, have one.
Chapter seven lists some good general points to keep in mind, which
then become the titles of the remaining chapters. There is a clear,
if not terribly detailed, explanation of what firewalls are and do, in
chapter eight. We are warned to be wary of insiders in chapter nine,
which also points out that not all "insiders" are actually inside.
Chapter ten outlines some of the aspects of social engineering. A
detailed discussion of passwords, in chapter eleven, even covers
tokens and biometrics. Network and packet sniffing is explained in
chapter twelve. Chapter thirteen is weak. Ironically, it is the
first chapter to touch closely on the items Crume implied in the
introduction, and looks at software vulnerabilities. But these
loopholes are very difficult to deal with, and the material here isn't
much help. Chapter fourteen is helpful in pointing out that factory
set defaults can be dangerous. The title of chapter fifteen ("it
takes a thief to catch a thief") seems to be suggesting that you hire
hackers. Actually, it merely suggests that you learn the
vulnerabilities that they know. However, it isn't very useful in
pointing the reader in the right direction. Chapter sixteen offers a
grab bag of anecdotal reports of recently exploited vulnerabilities.
And, of course, I have to pay special attention to chapter seventeen,
on viruses. Well, Crume makes mistakes, but he doesn't make any
really important ones. The background is reasonable, and the advice
Chapter nineteen provides a good overview of cryptology, but some of
the more important points get buried in the stories. (There is more
material provided in appendix A.) Backdoors and end runs are
discussed in chapter twenty. Chapter twenty one points out that even
"harmless" defacement of a Website can have serious consequences,
while twenty two says the information is valuable and a good defence.
Chapter twenty three finishes off with a look at some emerging
technologies that are bringing forward new security concerns.
One note that I should make: the text doesn't have all that much to
say about the Internet, as such. Most of the points deal with
security on a general basis. Which doesn't necessarily make it any
This book can be read completely in a day. And, for most managers and
businesspeople it would be a day very well spent. While some chapters
are weak, roughly three quarters of the material is both reasonable
and technically sound, a match that happens less often than one might
wish. This is definitely a volume to get to pass around among all
employees--and to provide to all newly hired managers.
copyright Robert M. Slade, 2001 BKININSC.RVW 20010511
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
A witty saying proves nothing. - Voltaire
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade