Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKNESEAS.RVW 20091004 Network Security Assessment , Steve Manzuik/Andre Gold/Chris Gatford, 2007, 978-1-59749-101-3, U$59.95/C$77.95 %A Steve Manzuik %A
    Message 1 of 1 , Dec 23, 2009
      BKNESEAS.RVW 20091004

      "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford,
      2007, 978-1-59749-101-3, U$59.95/C$77.95
      %A Steve Manzuik
      %A Andre Gold
      %A Chris Gatford
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2007
      %G 978-1-59749-101-3 1-59749-101-2
      %I Syngress Media, Inc.
      %O U$59.95/C$77.95 781-681-5151 amy@...
      %O http://www.amazon.com/exec/obidos/ASIN/1597491012/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1597491012/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 372 p.
      %T "Network Security Assessment: From Vulnerability to Patch"

      Chapter one is a general discussion of vulnerabilities and risk. The
      material makes the process (and threat environment) seem more
      formalized and simpler than it really. Initially the review of
      vulnerabilities seems limited to coding issues, but later parts of the
      book concentrate almost exclusively on network issues. A broad
      overview of the usual "discovery/enumeration/analysis" style of
      penetration testing is given in chapter two. Assessment tools are
      noted in chapter three, although the content is mostly a duplication
      from two. While most of the suggestions are reasonable (yes, you do
      want a low rate of false positive alarms), some are unrealistic (a
      zero rate of false negative results is almost inherently impossible to

      Chapter four addresses the discovery stage, though not in much depth.
      Similarly, chapter five's examples of enumeration are limited to
      various scans. Chapter six repeats the penetration testing review
      from chapter two, but with different examples.

      Vulnerability management, as delineated in chapter seven, is simply a
      project cycle with some audit functions included. Chapter eight is a
      terse listing of vulnerability management tools. The content of
      chapter seven is repeated in chapter nine, in a more confused form,
      and now under the title "Vulnerability and Configuration Management."
      "Regulatory Compliance," in chapter ten, is restricted to a brief
      discussion of the Payment Card Industry Data Security Standard, and
      the US Sarbanes-Oxley law. Chapter eleven re-reviews the chapters in
      the book.

      An appendix covers legal factors for a variety of information security

      The material in this work provides a decent introduction to
      vulnerability assessment and penetration testing, but with a great
      deal of padding and duplication. Condensed into a magazine article,
      instead of running to almost four hundred pages, it could have been
      very useful. There is also a chance that the reader will be misled by
      the doctrinaire stance in many cases, such as the presentation of
      penetration testing as distinct from vulnerability assessment, when
      the reality is a continuum, with most people taking a hybrid approach.
      Overall the book is a good start, but those wishing to actually begin
      working with assessments will need additional help.

      copyright Robert M. Slade, 2009 BKNESEAS.RVW 20091004

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      I have found that many organizations want change,
      but nobody wants to do anything differently. - Jeffrey Pfeffer
      victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
      http://twitter.com/NoticeBored http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.