Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Internet Security Guidebook", Juanita Ellis/Timothy Speed

Expand Messages
  • Rob Slade grandpa of Ryan Trevor Pride &
    BKISGFPD.RVW 20010605 The Internet Security Guidebook , Juanita Ellis/Timothy Speed, 2001, 0-12-237471-1, U$44.95 %A Juanita Ellis %A Timothy Speed
    Message 1 of 1 , Aug 13, 2001
    • 0 Attachment
      BKISGFPD.RVW 20010605

      "The Internet Security Guidebook", Juanita Ellis/Timothy Speed, 2001,
      0-12-237471-1, U$44.95
      %A Juanita Ellis
      %A Timothy Speed tim.speed@...
      %C 525 B Street, Suite 1900, San Diego, CA 92101-4495
      %D 2001
      %G 0-12-237471-1
      %I Academic Press
      %O U$44.95 619-231-0926 800-321-5068 fax: 619-699-6380
      %P 320 p.
      %T "The Internet Security Guidebook: From Planning to Deployment"

      The introduction outlines some of the basic types of attacks that can
      happen over the Internet, and seems to concentrate on attacks against
      machines, rather than people or companies. This emphasis on the
      technical is odd, since the material provides very few technical
      details, but does contain more than a little error and confusion. The
      text of the book doesn't mention a specific target audience, although
      the jacket notes seem to promote the work to CEOs and other senior
      executives. Which is odd: the writing level seems more appropriate to
      the home user.

      Chapter one is an overview of security planning. Most of the
      important parts of preparation are included, but the chapter structure
      and even the figures are very confusing. There are many gaps in the
      discussion of security reviews, and a number of odd and apparently
      misplaced items have been inserted. Encryption is covered
      simplistically, and the lack of depth in the material becomes a
      problem in the chapter on network security. After twelve pages that
      *don't* explain the Internet and OSI (Open Systems Interconnection)
      models of networking, the text attempts to deal with a number of
      Internet security tools, most of which rely on encryption and key
      exchange. There are frequent errors and the sections sometimes even
      provide contradictory and nonsensical explanations, such as the
      statement that "unencoded" means both "not encrypted" and "not as
      plain text." The basic outline of firewalls is better than is
      provided in most general guides, although the description of circuit-
      level gateways keeps referring to "stateful inspection" without ever
      explaining what that is. The long evaluation section is,
      unfortunately, the usual for this type of book: it does provide most
      of the right questions to ask, but doesn't give the novice reader much
      help in analyzing the answers. Authentication is a very important
      topic in security, and it is too bad that the material on this subject
      is so confused, and confusing. I find it very difficult to reconcile
      the statement that there are "very few examples" of biometrics with
      the existence of a great many fingerprint, palm geometry, iris,
      voiceprint, and even face readers. The depiction of Kerberos is wrong
      in some basic aspects, does not address the fundamental problems with
      the Microsoft version, and does not relate in any way to the very
      closely associated topic of single sign-on that immediately follows.

      The discussion of PKI (Public Key Infrastructure) does do well in
      covering the "build or buy" debate for a certificate authority.
      Directory issues are not handled particularly well, and there are
      other errors. (Excuse me? The Internet didn't exist before the mid-
      1980s?) The chapter on messaging security is a real grab bag of
      topics, none of which, with the possible exception of acceptable use,
      are covered in sufficient depth. (Viruses and trojans get lumped into
      this chapter, and the commentary is quite sloppy.) The basic outline
      of risk analysis, including threat, impact, and probability, is good,
      but the supporting material is not quite standard, and probably not
      very helpful to the target audience. The chapter also fails to point
      out the full scope of such an appraisal, as well as the importance of
      looking at the aggregate risk. On the other hand, the review of
      policy and procedures hardly seems to address policy creation at all.
      This is another miscellaneous compendium of vulnerabilities, diving
      into specifics and missing the bigger picture. The material on
      incident response is generic, but does point out the foundational
      concepts. There is little detail, and the text does concentrate on
      dealing with events by severity, rather than by type. The book closes
      off with an ordinary presentation on project planning.

      I would be the first to admit that security can be a dry topic, and a
      little humour can help to spice up the text. However, I am willing to
      make an exception in the case of this book. The jokes added to the
      text do nothing to improve it. They are intrusive, distracting, and
      do not, in any way, help the reader to understand the topics under
      discussion. Indeed, the attempts at comedy generally sidetrack the
      reader from the central issues of the work, and simply confuse any
      issue under discussion.

      If this text is aimed at executive management, it definitely needs to
      be tightened up and reorganized to eliminate duplicated material and
      ensure the structure and arguments are easier to follow. Many points
      raised throughout the work are important, but a number of vital issues
      are not addressed, and the patchwork of writing level and quality of
      information probably means that this is unsuitable as an only
      introduction to security. The Internet, in fact, is not really a
      major concern in this book, although it does get mentioned from time
      to time. I would have difficulty in suggesting a group that would
      benefit from this book, although it might serve as an adjunct text to
      the security planning process, if ideas were being culled from
      multiple sources.

      copyright Robert M. Slade, 2001 BKISGFPD.RVW 20010605

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      Why should I care about posterity? What's posterity ever done for
      me? - Groucho Marx
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.