REVIEW: "Information Security Best Practices", George L. Stefanek
- BKISBPBR.RVW 20021215
"Information Security Best Practices", George L. Stefanek, 2002,
%A George L. Stefanek
%C 225 Wildwood Street, Woburn, MA 01801
%I Butterworth-Heinemann/CRC Press/Digital Press
%O 800-366-BOOK fax: 1-617-933-6333 dp-catalog@... www.bh.com/bh/
%P 194 p. + CD-ROM
%T "Information Security Best Practices: 205 Basic Rules"
The preface states that this book contains rules for a, possibly
novice, system administrator and manager to provide a basic level of
security for an organization.
Chapter one lists a few (well, eleven) attacks on information systems.
These are rather simple; the virus definition is quite old (there is
no mention of macro or email viruses) and worms are depicted in terms
of memory exhaustion; and it is difficult to see what purpose they
serve. The generic structure of an attack or intrusion is described
in chapter two. The initial discussion of policy, in chapter three,
is limited to the advice that you have one. This recommendation is
expanded in chapter four, which does provide some reasonable points on
creating a policy.
A few of the "rules" have been given in the earlier chapters, but
chapter five, on network architecture and design, begins what is
obviously the body of the book. Some of the advice is questionable,
such as the commandment to limit firewall selection to those products
that carry the NCSA stamp of approval. (The NCSA approval has some
value, but is far from definitive, and, in any case, the group morphed
into the ICSA many years ago, and is now TruSecure.) By and large the
material, and that which follows, is reasonable and would help to
improve the security of any enterprise, although it is quite limited.
The remaining chapters cover physical security, PCs (tersely),
Internet security, application development, software validation,
configuration management, network monitoring, maintenance and
troubleshooting, and training. The advice about hardware selection
(in chapter six), is restricted to "motherhood" type rules which are
vague and would be hard to follow. The chapters on network hardware
(eight) and operating systems (nine) both recommend that there be a C2
level rating for routers and servers, although the "orange book"
specifications are no longer considered standards (and in spite of the
fact that Windows NT 3.51 got a C2 rating--on condition that it was
not connected to a network). Encryption, in chapter fourteen, is
supposed to be "strong," although there is little information on how
to measure strength. (In fact, a key length of 128 bits is mandated,
despite the fact that this is far too short for asymmetric systems,
and longer than triple DES [Data Encryption Standard].) The suggested
actions in case of attack, in chapter nineteen, are rather drastic:
spam should be addressed by killing email service, and a denial of
service attack should be responded to by disconnecting from the net.
Overall, this does have value as a "quick and dirty" set of guidelines
for administrators who do not have formal security training and
experience. The book is short, and thus easily readable for busy
people. While security professionals may cringe at the simplistic
nature of some recommendations, the rules can help improve the
security of a system that would otherwise have none.
As long as the reader does not gain a false sense that he has
implemented proper security.
copyright Robert M. Slade, 2002 BKISBPBR.RVW 20021215
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
March 31, 2003 Indianapolis, IN