Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Information Security Best Practices", George L. Stefanek

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKISBPBR.RVW 20021215 Information Security Best Practices , George L. Stefanek, 2002, 1-878707-96-5 %A George L. Stefanek %C 225 Wildwood Street,
    Message 1 of 1 , Jan 29 8:24 AM
      BKISBPBR.RVW 20021215

      "Information Security Best Practices", George L. Stefanek, 2002,
      %A George L. Stefanek
      %C 225 Wildwood Street, Woburn, MA 01801
      %D 2002
      %G 1-878707-96-5
      %I Butterworth-Heinemann/CRC Press/Digital Press
      %O 800-366-BOOK fax: 1-617-933-6333 dp-catalog@... www.bh.com/bh/
      %O http://www.amazon.com/exec/obidos/ASIN/1878707965/robsladesinterne
      %P 194 p. + CD-ROM
      %T "Information Security Best Practices: 205 Basic Rules"

      The preface states that this book contains rules for a, possibly
      novice, system administrator and manager to provide a basic level of
      security for an organization.

      Chapter one lists a few (well, eleven) attacks on information systems.
      These are rather simple; the virus definition is quite old (there is
      no mention of macro or email viruses) and worms are depicted in terms
      of memory exhaustion; and it is difficult to see what purpose they
      serve. The generic structure of an attack or intrusion is described
      in chapter two. The initial discussion of policy, in chapter three,
      is limited to the advice that you have one. This recommendation is
      expanded in chapter four, which does provide some reasonable points on
      creating a policy.

      A few of the "rules" have been given in the earlier chapters, but
      chapter five, on network architecture and design, begins what is
      obviously the body of the book. Some of the advice is questionable,
      such as the commandment to limit firewall selection to those products
      that carry the NCSA stamp of approval. (The NCSA approval has some
      value, but is far from definitive, and, in any case, the group morphed
      into the ICSA many years ago, and is now TruSecure.) By and large the
      material, and that which follows, is reasonable and would help to
      improve the security of any enterprise, although it is quite limited.
      The remaining chapters cover physical security, PCs (tersely),
      Internet security, application development, software validation,
      configuration management, network monitoring, maintenance and
      troubleshooting, and training. The advice about hardware selection
      (in chapter six), is restricted to "motherhood" type rules which are
      vague and would be hard to follow. The chapters on network hardware
      (eight) and operating systems (nine) both recommend that there be a C2
      level rating for routers and servers, although the "orange book"
      specifications are no longer considered standards (and in spite of the
      fact that Windows NT 3.51 got a C2 rating--on condition that it was
      not connected to a network). Encryption, in chapter fourteen, is
      supposed to be "strong," although there is little information on how
      to measure strength. (In fact, a key length of 128 bits is mandated,
      despite the fact that this is far too short for asymmetric systems,
      and longer than triple DES [Data Encryption Standard].) The suggested
      actions in case of attack, in chapter nineteen, are rather drastic:
      spam should be addressed by killing email service, and a denial of
      service attack should be responded to by disconnecting from the net.

      Overall, this does have value as a "quick and dirty" set of guidelines
      for administrators who do not have formal security training and
      experience. The book is short, and thus easily readable for busy
      people. While security professionals may cringe at the simplistic
      nature of some recommendations, the rules can help improve the
      security of a system that would otherwise have none.

      As long as the reader does not gain a false sense that he has
      implemented proper security.

      copyright Robert M. Slade, 2002 BKISBPBR.RVW 20021215

      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      March 31, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.