REVIEW: "Computer Security Handbook", Seymour Bosworth/M. E. Kabay
- BKCMSCHB.RVW 20020911
"Computer Security Handbook", 2002, Seymour Bosworth/M. E. Kabay,
%E Seymour Bosworth sybosworth@...
%E M. E. Kabay mkabay@...
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$75.00 416-236-4433 fax: 416-236-4448
%P 1224 p.
%T "Computer Security Handbook, Fourth Edition"
There are many recognizable (and a lot more not so recognizable) names
in the list of contributors. Authors such as Rebecca Bace, Donn
Parker, and William Stallings stand out as people who have something
worth saying, and can say it well. Other names are associated with
less worthy works.
Chapter one states that the purpose of the handbook is to describe
information system security risks, the measures for mitigating those
risks, and the techniques for managing security risks. In a sense, it
does that, but risk management is not the whole of computer security.
Even if the title of the book were to confine itself to risk
management, one would still have to say that, overall, there are other
works that cover the field more completely, with less wasted verbiage.
There has been an attempt to remove the limiting of previous editions
to topics relevant to "big iron." However, new technologies still
seem to get short shrift.
Part one looks at foundations of computer security, with papers
examining the history and mission of security (actually just history
of computers), law and computer forensics (random collection of legal
issues, almost nothing on forensics), common language for computer
incident information (proposal with no proof that it will either cover
all incidents or assist with dealing with incidents), surveys of
computer crime (lots of material on how studies should be conducted,
and uncritical reports of some studies), and new framework for
security (Donn Parker says we are missing pieces of security).
Threats and vulnerabilities are reviewed in part two, including essays
on the psychology of computer criminals (mostly good but some
questionable observations and theories about black hats), information
warfare (information systems can be attacked--surprise!), penetrating
systems and networks (there are different ways to get unauthorized
access), malicious code (traditional models and some recent examples
of viruses), mobile code (some aspects of ActiveX and scripting),
denial of service attacks (reasonable overview of various types--and
some unrelated exploits), intellectual property (random legislation
and thoughts), e-commerce vulnerabilities (various weaknesses), and
physical threats (generic disaster recovery).
Part three covers preventive technical defenses, containing topics
such as protecting information infrastructure (generic security,
mostly physical), identification and authentication (brief
introduction), operating system security (good introduction to access
control), local area networks (random thoughts), e-commerce safeguards
(legal protections and vague ideas), firewalls (confused grab bag),
protecting Internet systems (basic concepts), protecting web sites
(broad but not deep), public key infrastructure (basic components, but
no more), antivirus technology (simplistic look at scanning), software
development (simplistic look at the software development life cycle),
and piracy (piracy is going on and we have to find some way to stop
Human factors, in part four, looks at standards for security products
(verbose description of the Common Criteria components), security
policy guidelines (miscellaneous related documents), security
awareness (do interesting seminars), ethics (vague), employment
policies (grab bag), operations security (and another), Internet use
policies (yet again), working with law enforcement (generic and poorly
structured), social psychology (redoing the security awareness article
with extra psychological jargon), and auditing computer security (a
Part five's look at detection is brief, with intrusion detection
(excellent introduction), monitoring (you should log stuff), and
application controls (database integrity).
Remediation reviews computer emergency response teams (generic),
backups (pedestrian), business continuity planning (have a plan),
disaster recovery (repeat previous), and insurance (get some) in part
Part seven examines management's role, including management
responsibilities (you could be liable), developing policies (generic),
risk assessment (assess risks), and Y2K (management is now onside--
Other considerations, such as medical records (good introduction and
discussion of the issues), using encryption internationally (laws
differ), censorship (random thoughts), privacy (various laws),
anonymity (psychological ponderings), and the future (various
thoughts) make up part eight.
There is useful material in the work, but it is difficult to abstract
the good from the mundane unless you are already quite expert in the
field. The newcomer would be advised to get some basic training or
reading before attempting to deal with this work, but the expert will
be able to find some useful nuggets.
copyright Robert M. Slade, 2001, 2002 BKCMSCHB.RVW 20020911
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
The LORD says: `These people come near to me with their mouth and
honour me with their lips, but their hearts are far from me.
Their worship of me is made up only of rules taught by men.
- Isaiah 29:13
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade