Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Information Security Management Handbook", Harold F. Tipton/Micki Krause

Expand Messages
  • Rob Slade grandpa of Ryan Trevor Pride &
    BKINSCMH.RVW 20010609 Information Security Management Handbook , Harold F. Tipton/Micki Krause, 2000, 0-8493-9829-0/0-8493-0800-3, U$155.00 %E Harold F.
    Message 1 of 1 , Aug 27, 2001
    • 0 Attachment
      BKINSCMH.RVW 20010609

      "Information Security Management Handbook", Harold F. Tipton/Micki
      Krause, 2000, 0-8493-9829-0/0-8493-0800-3, U$155.00
      %E Harold F. Tipton haltip@...
      %E Micki Krause Micki.Krause@...
      %C 2000 Corporate Blvd. NW, Boca Raton, FL 33431
      %D 2000
      %G 0-8493-9829-0, 0-8493-0800-3
      %I Auerbach Publications
      %O U$155.00 800-272-7737 auerbach@... slinton@...
      %O available separately 0-8493-9829-0 $95.00 0-8493-0800-3 $59.95
      %P 2 vol., 711 p. + 626 p.
      %T "Information Security Management Handbook, Fourth Edition"

      As an overview for the CISSP (Certified Information System Security
      Professional) CBK (Common Body of Knowledge), this work covers a vast
      range of topics. The CBK, and the book, is divided into ten domains,
      covering access control systems, telecommunications, security
      management, systems development, cryptography, security architecture,
      operations security, business continuity, law and ethics, and physical
      security. The text provides some excellent articles, some of which
      are general but detailed overviews, and others that address particular
      problems or new technologies. However, even with fifty nine articles
      and over thirteen hundred pages there are gaps, some surprisingly

      The quality of the articles can vary widely. The first essay, on
      biometrics, provides an admirable review of the subject, as well as
      some solid, practical, and useful detail information. The next paper
      is a rather odd treatment of single sign-on, addressing the concepts
      well, but in a disjointed manner that makes reading or studying
      difficult. Following those comes a paper ostensibly dealing with
      securing connections to external networks. It collates some generic
      and vague descriptions of a variety of topics, none of which are
      particularly informative or reliable. (A two-page section on computer
      viruses contains numerous glaring and significant errors. Personally,
      I continue to find it appalling that general security texts deal so
      poorly with this topic.)

      Other areas covered are firewalls (terse), perimeter security for the
      Internet (again, but this time with excellent technical information on
      TCP/IP specifics), extranets (doctrinaire), firewall management (very
      useful for planning), the OSI (Open Systems Interconnections) network
      layer security model (questionable utility), the OSI transport layer
      security model (not much better), application layer security
      (interesting but undetailed), communications and security protocols
      (broad overview, concise but fills in some common gaps), security
      awareness training (reasonable points for success), security
      architecture (brief but basic), IPsec (good overview), risk analysis
      (thorough but perhaps a trifle pedantic), trade secret protection (an
      interesting twist), information security for healthcare (a tad verbose
      and US-centric), security for object-oriented databases (listing
      proposals), fundamentals of cryptography (very clear explanations of
      the math involved), key management (great review of principles, and
      amusing anecdotes from history of the *wrong* ways to manage keys),
      Kerberos (extensive coverage of both details and concepts), PKI
      (Public Key Infrastructure, a quick guide to the basics),
      microcomputer and LAN security (good concepts, overly optimistic,
      oddities in details), trapping intruders (quick concepts), Java
      security (quick basics), business continuity planning (a new process),
      restoration after disaster (general review), computer crime
      investigation (good coverage of many aspects), Internet ethics
      (emphasis on privacy), jurisdictional issues (miscellaneous),
      intrusion detection (concepts and evaluation points), single sign-on
      (opinion this time), authentication services (concepts and amusing
      overview), email security (concept review), ATM (Asynchronous Transfer
      Mode) security (without really discussing security), remote access
      (background fundamentals), sniffers (concepts and details), enclaves
      (firewalls within), IPsec (good details), penetration testing (very
      basic policies), policy (some good points but quite random), the
      security business case (opinion), PeopleSoft security (as for any
      major database), World Wide Web application security (reiteration of
      general security planning with a few Web specifics), common system
      design flaws (an important set), data warehouses (standard system
      development advice with limited security relevance), PKI (simplistic),
      introduction to encryption (a good one), new models for cryptography
      application (useful for planning), cryptanalysis (decent review of
      terminology), message authentication (detailed), UNIX security
      (concepts and tools), hacker tools (not very detailed), malicious code
      (theoretical and incomplete), business impact assessment (after Y2K),
      computer crime investigation (document everything), computer incident
      response teams (CIRTs, vague), intrusion detection (vague and
      repetitious), and operational forensics (retain evidence and data).

      Observant readers will have noted a fair amount of duplication in that
      list. In fact, the reiteration of content is worse than appears here,
      since many topics rely on others, and certain basic ideas (Kerberos
      operations, the Diffie-Hellman public key system, and risk management,
      for three examples) recur in a variety of other discussions, with
      differing levels of detail. As in any work this size a number of
      outright bizarre mistakes have occurred, like the table showing the
      file structure of an authentication database, which has been swapped
      with the structural diagram of a completely different authentication

      This is the closest thing there is to a textbook for the CISSP exam.
      It is fairly easy to see which sections have been reproduced in the
      ISC(2) (International Information System Security Certification
      Consortium) course (in some cases complete down to specific errors).
      Intriguingly, there are sections of the course that previously were
      covered by the third edition, and which do not appear in any
      significant form in this work. (An example is the discussion of the
      standard formal security models, such as Bell-La Padula and

      It should be noted that there is a significant difference in character
      between the two volumes. The first volume deals with topics that are
      closer to the heart of security, and the essays are generally more
      valuable to the practitioner. Volume two contains papers over a wider
      range of subjects, many of which (with the notable exception of the
      pieces on cryptography) have little or no relevance to security beyond
      fundamental concerns that are well covered elsewhere. Book one will
      be useful to the CISSP candidate and any specialty security worker:
      book two may be of interest to a narrower group of senior security
      executives and theorists, and, ironically, a wider audience of those
      interested in newer technologies in general.

      The quantity of good information that is contained in the work is
      definitely worth the price, but there could easily be a wholesale
      pruning of deadwood.

      copyright Robert M. Slade, 2001 BKINSCMH.RVW 20010609

      rslade@... rslade@... slade@... p1@...
      Find virus, book info http://victoria.tc.ca/techrev/rms.htm
      Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
      Review mailing list: send mail to techbooks-subscribe@egroups.com
      Viruses Revealed (forthcoming) http://viruses-revealed.org.uk or
    Your message has been successfully submitted and would be delivered to recipients shortly.