Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Secured Enterprise", Paul E. Proctor/F. Christian Byrnes

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSEPYIA.RVW 20040719 The Secured Enterprise , Paul E. Proctor/F. Christian Byrnes, 2002, 0-13-061906-X, U$34.99/C$54.99 %A Paul E. Proctor %A F.
    Message 1 of 1 , Sep 1, 2004
    • 0 Attachment
      BKSEPYIA.RVW 20040719

      "The Secured Enterprise", Paul E. Proctor/F. Christian Byrnes, 2002,
      0-13-061906-X, U$34.99/C$54.99
      %A Paul E. Proctor
      %A F. Christian Byrnes
      %C One Lake St., Upper Saddle River, NJ 07458
      %D 2002
      %G 0-13-061906-X
      %I Prentice Hall
      %O U$34.99/C$54.99 +1-201-236-7139 fax: +1-201-236-7131
      %O http://www.amazon.com/exec/obidos/ASIN/013061906X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/013061906X/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/013061906X/robsladesin03-20
      %P 304 p.
      %T "The Secured Enterprise: Protecting Your Information Assets"

      The introduction states that the book is aimed at business
      professionals, but that security professionals may also find it useful
      as a reference.

      Part one is an introduction to security. So is chapter one, which
      extends the traditional CIA (Confidentiality, Integrity, Availability)
      security triad to include non-repudiation. (Most security analysts
      would see that function as a special case of integrity.) This muddled
      thinking is echoed by the muddled structure of the chapter, which
      touches tersely on roles and policies, and contains an extremely
      incomplete list of security technologies. Miscellaneous threats are
      mentioned in chapter two. Policies are revisited in chapter three,
      although the discussion is not clear in regard to high level policy
      formation, and more applicable to access privilege or procedures.
      Chapter four deals specifically with access control, but in a
      disorganized and incomplete fashion.

      Part two deals with security technologies. Chapter five is an
      incomplete definition and description of firewalls (stateful and
      circuit proxy types are never mentioned). An incomplete description
      of vulnerability scanners is given in chapter six. An incomplete and
      very dated discussion of viruses and protection makes up chapter
      seven. (Various implementations of scanning are noted, but there is
      no reference to activity monitors or change detection). The limited
      review of intrusion detection, in chapter eight, has a rather
      misleading explanation of sensor topology, and no clear explanation at
      all of engine types. Chapter nine has a simplistic outline of
      asymmetric cryptography and public key infrastructure (and a very odd
      example of the key management problem). Chapter ten has lots of
      verbiage about virtual private networks. A strange conflation of
      mobile communication and wireless LAN topics is in chapter eleven.
      Chapter twelve seems to both recommend and disparage single sign-on.
      A promotional piece for digital signature technology is in chapter
      thirteen.

      Part three discusses implementation. Chapter fourteen outlines the
      setting up of a security program, but only if you know what should go
      into the various pieces already. Security assessment, in chapter
      fifteen, is limited to different types of penetration or vulnerability
      testing, with a ludicrously short description of risk assessment.
      There is a simplistic overview of incident response and business
      continuity planning in chapter seventeen. Random bits of Web and
      Internet security are listed in eighteen.

      Given the scattered nature of the entire work, it is curious that part
      four is entitled "Odds and Ends." Miscellaneous legal issues are
      raised in chapter nineteen. Chapter twenty is supposed to help you
      with "Putting It All Together," but just contains editorial advice.

      OK, is it good for non-security businesspeople? Maybe, if they really
      know extremely little about security, and don't need to manage the
      security function. They will at least obtain some familiarity with
      the terms that might be used, although it could be a case of a little
      knowledge being a dangerous thing. As for security professionals: get
      some decent references.

      copyright Robert M. Slade, 2004 BKSEPYIA.RVW 20040719


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      I appreciate the fact that this draft was done in haste, but
      some of the sentences that you are sending out in the world to
      do your work for you are loitering in taverns or asleep beside
      the highway.
      -- Dr. Dwight Van de Vate, Professor of Philosophy,
      University of Tennessee at Knoxville
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.