REVIEW: "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford
- BKNESEAS.RVW 20091004
"Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford,
2007, 978-1-59749-101-3, U$59.95/C$77.95
%A Steve Manzuik
%A Andre Gold
%A Chris Gatford
%C 800 Hingham Street, Rockland, MA 02370
%G 978-1-59749-101-3 1-59749-101-2
%I Syngress Media, Inc.
%O U$59.95/C$77.95 781-681-5151 amy@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 372 p.
%T "Network Security Assessment: From Vulnerability to Patch"
Chapter one is a general discussion of vulnerabilities and risk. The
material makes the process (and threat environment) seem more
formalized and simpler than it really. Initially the review of
vulnerabilities seems limited to coding issues, but later parts of the
book concentrate almost exclusively on network issues. A broad
overview of the usual "discovery/enumeration/analysis" style of
penetration testing is given in chapter two. Assessment tools are
noted in chapter three, although the content is mostly a duplication
from two. While most of the suggestions are reasonable (yes, you do
want a low rate of false positive alarms), some are unrealistic (a
zero rate of false negative results is almost inherently impossible to
Chapter four addresses the discovery stage, though not in much depth.
Similarly, chapter five's examples of enumeration are limited to
various scans. Chapter six repeats the penetration testing review
from chapter two, but with different examples.
Vulnerability management, as delineated in chapter seven, is simply a
project cycle with some audit functions included. Chapter eight is a
terse listing of vulnerability management tools. The content of
chapter seven is repeated in chapter nine, in a more confused form,
and now under the title "Vulnerability and Configuration Management."
"Regulatory Compliance," in chapter ten, is restricted to a brief
discussion of the Payment Card Industry Data Security Standard, and
the US Sarbanes-Oxley law. Chapter eleven re-reviews the chapters in
An appendix covers legal factors for a variety of information security
The material in this work provides a decent introduction to
vulnerability assessment and penetration testing, but with a great
deal of padding and duplication. Condensed into a magazine article,
instead of running to almost four hundred pages, it could have been
very useful. There is also a chance that the reader will be misled by
the doctrinaire stance in many cases, such as the presentation of
penetration testing as distinct from vulnerability assessment, when
the reality is a continuum, with most people taking a hybrid approach.
Overall the book is a good start, but those wishing to actually begin
working with assessments will need additional help.
copyright Robert M. Slade, 2009 BKNESEAS.RVW 20091004
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
I have found that many organizations want change,
but nobody wants to do anything differently. - Jeffrey Pfeffer