Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Computer Security Handbook", 1995, Arthur E. Hutt/Seymour Bosworth/Douglas B. Hoyt

Expand Messages
  • Rob Slade grandpa of Ryan Trevor Pride &
    BKCMSCHB.RVW 20010530 Computer Security Handbook , 1995, Arthur E. Hutt/Seymour Bosworth/Douglas B. Hoyt, 0-471-11854-0 %E Arthur E. Hutt %E Seymour
    Message 1 of 1 , Aug 7, 2001
    View Source
    • 0 Attachment
      BKCMSCHB.RVW 20010530

      "Computer Security Handbook", 1995, Arthur E. Hutt/Seymour
      Bosworth/Douglas B. Hoyt, 0-471-11854-0
      %E Arthur E. Hutt
      %E Seymour Bosworth
      %E Douglas B. Hoyt
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 1995
      %G 0-471-11854-0
      %I John Wiley & Sons, Inc.
      %O U$90.00 416-236-4433 fax: 416-236-4448
      %T "Computer Security Handbook, Third Edition"

      Overall, this work appears to be strongly influenced from a time when
      computers were mainframes locked in glass rooms, and the information
      technology department was under the jurisdiction of accounting.
      Although some effort has been made to address more recent topics, the
      attempt is piecemeal at best, and quite limited in depth.

      Part one looks at the responsibility of management in the security
      concern. The first essay, specifying the role of management,
      certainly dates the work in the big iron era, defining security solely
      from the perspective of availability. Disclosure of information does
      get a mention, but even the list of risks to be considered
      concentrates primarily on malfunction or disaster. A second paper
      takes a rather vague look at policies and related documents, but is
      backed up with a number of examples. The review of risk analysis is
      similarly nebulous, although it does have some potentially useful
      tables of probable threats. Optimism about the availability of
      background information seems to surround the discussion of employee
      policies, but some important basic principles are presented. Legal
      issues are dealt with briefly, but over a wide range of topics. The
      article on computer crime is not particularly realistic: as one
      example, the examination of controls concentrates on provisions for
      preventing programmers from installing logic bombs, but the case
      studies actually cited as examples of the need for such controls were
      perpetrated as fraud by those in positions of authority.

      Part two outlines basic safeguards. Disaster recovery is, again,
      reviewed primarily from the mainframe perspective. The principles may
      be the same, but the important resources for a corporation probably
      involve many more aspects than just a mainframe and data. An overview
      of insurance sounds very much like a sales pitch, although it does
      divide the topic up by type of threat, and examines different factors
      that can affect price and the willingness of the insurers to make good
      on a loss. (I was amused to note that the section on viruses
      basically admits that vendors will use extraordinary interpretations
      of standard wording to weasel out of paying.) The chapter on auditing
      appears to have been written solely from an accounting perspective,
      and, while the points listed would be helpful in creating part of a
      security policy, they address only those issues related to internal
      fraud. System application controls are discussed strictly in terms of
      development cycles and ideas such as "total quality management" (TQM).

      Part three moves to physical protection. Hardware protection takes a
      detailed look at internal error situations right down to the gate
      level, as well as a more superficial examination of architecture
      concerns and environmental problems. Accidental calamities are also
      the major emphasis in computer facility protection, although there is
      some attention paid to the need to secure cabling. "Monitoring and
      Control Devices" presents theory behind surveillance and alarm
      systems.

      Part four starts to look into technical aspects of data security. A
      chapter on software and information security appears to have some
      valid points to make (aside from the misinformation on viruses) but is
      written in such a convoluted manner that most material must be read
      several times to puzzle out the meaning. An essay on records
      retention has been retrofitted to become an examination of computer
      data security. The paper on encryption is extremely disjointed (for
      example, dropping a discussion of network topologies into a purported
      explanation of the RSA [Rivest Shamir Adleman] encryption algorithm),
      and almost completely lacking in details. A rather generic security
      overview (with questionable virus information) is supposed to address
      data communications and networking. A grab bag of penetration
      techniques and countermeasures provides some interesting prompts to
      consider various attacks, but is not organized or complete enough to
      fully cover the subject. The chapter on viruses and related threats
      is rife with errors, and confuses the various types of problems with
      each other as well as with unverified speculation.

      Part five deals with special protection issues. Chapter twenty
      suggests that you might want to be a little careful when dealing with
      outside contractors. While there is some disorganization, and a few
      odd anachronisms, the paper on personal computers is much more
      practical than most of the preceding material. The essay on LANs
      presents a primer on networks, and then a generic overview of
      security, without an awful lot of relation between the two. The
      chapter on Internet security has some basic information, but is quite
      disorganized.

      Supplements are supposedly produced to update the work. Some such
      documents ask you to replace paragraphs and correct errors: others
      offer additional sections to enhance the original essays. In the 1997
      supplement (ISBN 0-471-17297-9) there are some weak addenda for
      auditing, encryption, and viruses, as well as a decent, though still
      disorganized, extension to the Internet material. There is also a
      first rate examination of email privacy issues and a reasonable though
      uninspired review of single sign-on. When I contacted the publisher,
      I was told that the 2000 supplement was still in the editorial stage.
      In fact, so was the 1998 supplement! So I wouldn't expect any updates
      for the book in the near future.

      Most of the material is fairly obviously old, and originally intended
      to address topics applicable solely to mainframe computer
      establishments, or even non-computerized systems. Patchwork updating
      is evidently an afterthought. A great deal of material is repeated
      many times over in different essays. Generally the papers have little
      detail or depth, so the recapitulations do not add much new content
      each time.

      There is useful material in the work, but it is difficult to abstract
      the good from the outdated and mundane unless you are already quite
      expert in the field. The newcomer would be advised to get some basic
      training or reading before attempting to deal with this work, but the
      expert will be able to find some useful nuggets.

      copyright Robert M. Slade, 2001 BKCMSCHB.RVW 20010530


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      This is not spam. - the first sentence in most recent spam
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.