BKCMSCHB.RVW 20020911 "Computer Security Handbook", 2002, Seymour Bosworth/M. E. Kabay, 0-471-41258-9 %E Seymour Bosworth sybosworth@aol.com %E M. E. Kabay mkabay@norwich.edu %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-41258-9 %I John Wiley & Sons, Inc. %O U$75.00 416-236-4433 fax: 416-236-4448 %P 1224 p. %T "Computer Security Handbook, Fourth Edition" There are many recognizable (and a lot more not so recognizable) names in the list of contributors. Authors such as Rebecca Bace, Donn Parker, and William Stallings stand out as people who have something worth saying, and can say it well. Other names are associated with less worthy works. Chapter one states that the purpose of the handbook is to describe information system security risks, the measures for mitigating those risks, and the techniques for managing security risks. In a sense, it does that, but risk management is not the whole of computer security. Even if the title of the book were to confine itself to risk management, one would still have to say that, overall, there are other works that cover the field more completely, with less wasted verbiage. There has been an attempt to remove the limiting of previous editions to topics relevant to "big iron." However, new technologies still seem to get short shrift. Part one looks at foundations of computer security, with papers examining the history and mission of security (actually just history of computers), law and computer forensics (random collection of legal issues, almost nothing on forensics), common language for computer incident information (proposal with no proof that it will either cover all incidents or assist with dealing with incidents), surveys of computer crime (lots of material on how studies should be conducted, and uncritical reports of some studies), and new framework for security (Donn Parker says we are missing pieces of security). Threats and vulnerabilities are reviewed in part two, including essays on the psychology of computer criminals (mostly good but some questionable observations and theories about black hats), information warfare (information systems can be attacked--surprise!), penetrating systems and networks (there are different ways to get unauthorized access), malicious code (traditional models and some recent examples of viruses), mobile code (some aspects of ActiveX and scripting), denial of service attacks (reasonable overview of various types--and some unrelated exploits), intellectual property (random legislation and thoughts), e-commerce vulnerabilities (various weaknesses), and physical threats (generic disaster recovery). Part three covers preventive technical defenses, containing topics such as protecting information infrastructure (generic security, mostly physical), identification and authentication (brief introduction), operating system security (good introduction to access control), local area networks (random thoughts), e-commerce safeguards (legal protections and vague ideas), firewalls (confused grab bag), protecting Internet systems (basic concepts), protecting web sites (broad but not deep), public key infrastructure (basic components, but no more), antivirus technology (simplistic look at scanning), software development (simplistic look at the software development life cycle), and piracy (piracy is going on and we have to find some way to stop it). Human factors, in part four, looks at standards for security products (verbose description of the Common Criteria components), security policy guidelines (miscellaneous related documents), security awareness (do interesting seminars), ethics (vague), employment policies (grab bag), operations security (and another), Internet use policies (yet again), working with law enforcement (generic and poorly structured), social psychology (redoing the security awareness article with extra psychological jargon), and auditing computer security (a checklist). Part five's look at detection is brief, with intrusion detection (excellent introduction), monitoring (you should log stuff), and application controls (database integrity). Remediation reviews computer emergency response teams (generic), backups (pedestrian), business continuity planning (have a plan), disaster recovery (repeat previous), and insurance (get some) in part six. Part seven examines management's role, including management responsibilities (you could be liable), developing policies (generic), risk assessment (assess risks), and Y2K (management is now onside-- yeah, right). Other considerations, such as medical records (good introduction and discussion of the issues), using encryption internationally (laws differ), censorship (random thoughts), privacy (various laws), anonymity (psychological ponderings), and the future (various thoughts) make up part eight. There is useful material in the work, but it is difficult to abstract the good from the mundane unless you are already quite expert in the field. The newcomer would be advised to get some basic training or reading before attempting to deal with this work, but the expert will be able to find some useful nuggets. copyright Robert M. Slade, 2001, 2002 BKCMSCHB.RVW 20020911