Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Computer Security Handbook", Seymour Bosworth/M. E. Kabay

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCMSCHB.RVW 20020911 Computer Security Handbook , 2002, Seymour Bosworth/M. E. Kabay, 0-471-41258-9 %E Seymour Bosworth sybosworth@aol.com %E M. E.
    Message 1 of 1 , Nov 4, 2002
    • 0 Attachment
      BKCMSCHB.RVW 20020911

      "Computer Security Handbook", 2002, Seymour Bosworth/M. E. Kabay,
      0-471-41258-9
      %E Seymour Bosworth sybosworth@...
      %E M. E. Kabay mkabay@...
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2002
      %G 0-471-41258-9
      %I John Wiley & Sons, Inc.
      %O U$75.00 416-236-4433 fax: 416-236-4448
      %P 1224 p.
      %T "Computer Security Handbook, Fourth Edition"

      There are many recognizable (and a lot more not so recognizable) names
      in the list of contributors. Authors such as Rebecca Bace, Donn
      Parker, and William Stallings stand out as people who have something
      worth saying, and can say it well. Other names are associated with
      less worthy works.

      Chapter one states that the purpose of the handbook is to describe
      information system security risks, the measures for mitigating those
      risks, and the techniques for managing security risks. In a sense, it
      does that, but risk management is not the whole of computer security.
      Even if the title of the book were to confine itself to risk
      management, one would still have to say that, overall, there are other
      works that cover the field more completely, with less wasted verbiage.

      There has been an attempt to remove the limiting of previous editions
      to topics relevant to "big iron." However, new technologies still
      seem to get short shrift.

      Part one looks at foundations of computer security, with papers
      examining the history and mission of security (actually just history
      of computers), law and computer forensics (random collection of legal
      issues, almost nothing on forensics), common language for computer
      incident information (proposal with no proof that it will either cover
      all incidents or assist with dealing with incidents), surveys of
      computer crime (lots of material on how studies should be conducted,
      and uncritical reports of some studies), and new framework for
      security (Donn Parker says we are missing pieces of security).

      Threats and vulnerabilities are reviewed in part two, including essays
      on the psychology of computer criminals (mostly good but some
      questionable observations and theories about black hats), information
      warfare (information systems can be attacked--surprise!), penetrating
      systems and networks (there are different ways to get unauthorized
      access), malicious code (traditional models and some recent examples
      of viruses), mobile code (some aspects of ActiveX and scripting),
      denial of service attacks (reasonable overview of various types--and
      some unrelated exploits), intellectual property (random legislation
      and thoughts), e-commerce vulnerabilities (various weaknesses), and
      physical threats (generic disaster recovery).

      Part three covers preventive technical defenses, containing topics
      such as protecting information infrastructure (generic security,
      mostly physical), identification and authentication (brief
      introduction), operating system security (good introduction to access
      control), local area networks (random thoughts), e-commerce safeguards
      (legal protections and vague ideas), firewalls (confused grab bag),
      protecting Internet systems (basic concepts), protecting web sites
      (broad but not deep), public key infrastructure (basic components, but
      no more), antivirus technology (simplistic look at scanning), software
      development (simplistic look at the software development life cycle),
      and piracy (piracy is going on and we have to find some way to stop
      it).

      Human factors, in part four, looks at standards for security products
      (verbose description of the Common Criteria components), security
      policy guidelines (miscellaneous related documents), security
      awareness (do interesting seminars), ethics (vague), employment
      policies (grab bag), operations security (and another), Internet use
      policies (yet again), working with law enforcement (generic and poorly
      structured), social psychology (redoing the security awareness article
      with extra psychological jargon), and auditing computer security (a
      checklist).

      Part five's look at detection is brief, with intrusion detection
      (excellent introduction), monitoring (you should log stuff), and
      application controls (database integrity).

      Remediation reviews computer emergency response teams (generic),
      backups (pedestrian), business continuity planning (have a plan),
      disaster recovery (repeat previous), and insurance (get some) in part
      six.

      Part seven examines management's role, including management
      responsibilities (you could be liable), developing policies (generic),
      risk assessment (assess risks), and Y2K (management is now onside--
      yeah, right).

      Other considerations, such as medical records (good introduction and
      discussion of the issues), using encryption internationally (laws
      differ), censorship (random thoughts), privacy (various laws),
      anonymity (psychological ponderings), and the future (various
      thoughts) make up part eight.

      There is useful material in the work, but it is difficult to abstract
      the good from the mundane unless you are already quite expert in the
      field. The newcomer would be advised to get some basic training or
      reading before attempting to deal with this work, but the expert will
      be able to find some useful nuggets.

      copyright Robert M. Slade, 2001, 2002 BKCMSCHB.RVW 20020911


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      The LORD says: `These people come near to me with their mouth and
      honour me with their lips, but their hearts are far from me.
      Their worship of me is made up only of rules taught by men.
      - Isaiah 29:13
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.