BKDYDAAH.RVW 20000515 "Defending Your Digital Assets", Randall K. Nichols/Daniel J. Ryan/Julie J. C. H. Ryan, 2000, 0-07-212285-4, U$49.99 %A Randall K. Nichols rnichols@comsec-solutions.com %A Daniel J. Ryan danryan@danjryan.com %A Julie J. C. H. Ryan julieryan@julieryan.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2000 %G 0-07-212285-4 %I McGraw-Hill Ryerson/Osborne %O U$49.99 905-430-5000 800-565-5758 905-430-5134 fax: 905-430-5020 %P 858 p. %T "Defending Your Digital Assets: Against Hackers, Crackers, Spies, and Thieves" In the preface, the authors decide to define their own terms their own way. For example, hackers break into computers for the thrill of it, while crackers break in for profit. They also state that there is a tension between securing a network and managing it, ignoring the fact that most people see security as a management issue. Later, in the first chapter, the "authors apologize for being a little informal" in what they say. Aside from the lack of any reason given for the necessity of this "informality" it certainly appears to be much more appropriate to call it disorganization and a lack of discipline. The book is supposed to be aimed at executives and managers, rather than security specialists, or is intended to be used as the text for a graduate information security course. Again, leaving aside the inherent contradiction in that assertion, the material in this work is not just careless, but so seriously flawed that any manager relying on it (let alone the poor grad student) is going to be seriously misled in places. Part one purports to be an overall introduction. Chapter one starts with digital espionage and throws around lots of scary numbers and names. Unfortunately, the text lacks any analysis of the reports being cited, most of which seem to be opinion surveys, and some of which contradict each other. (Attacks are said to number in the hundreds per day in one account, while another [from the NSA] asserts 250 per year, and yet a third [from the FCIRC] states 244--for the same year.) The text is also extremely confused and appears to be almost deliberately unstructured: one paragraph starts talking about fraud and then covers the Morris Internet Worm, the only link being that Morris was prosecuted under the Computer Fraud and Abuse Act. Explanations are careless: the venerable Crack security tool is said to "attack" computers. The material is very disorganized, and if you can trace a common thread through a section of the text you will find that most of the content is peripheral to it. Chapter two is supposed to cover information security (infosec, in the book's jargon), but instead continues to regale us with stories of digital espionage (DE) and infowar. (Except for a seemingly pointless digression into Hurricane Andrew.) Part two is to present us with infosec concepts. Chapter three, somewhat surprisingly, does give us a decent "Common Body of Knowledge" overview and threat list, along with some risk management and infosec architecture. A serviceable discussion of policy, with some time out for US fed bashing, is in chapter four. Privacy, in chapter five, is not covered well: we have a flatly inflammatory definition of a "cookie," and ten pages of unsupported tables and odd graphs which eventually reveal that some people want privacy and others want to collect data. (Big surprise.) Chapter six talks about security system certification and verification. Part four touches on practical infosec. Chapter seven gives a decent outline of cryptography, with a good comparison of strength, but a huge "analysis" of key recovery and escrow systems shows only that some like it and some don't. Access control systems are covered in chapter eight. Digital signatures and certificate authorities are reviewed in chapter nine: the web of trust model is mentioned, but not analyzed or used in the material. Chapter ten is a confused discussion of permission management, concentrating primarily on e-commerce and the Web. Various factors in Virtual Private Networks (VPN) are listed in chapter eleven. Some biometric methods are described in chapter twelve. Part four does not really deal with business continuity and recovery, but emphasizes "event management." Chapter thirteen looks at general security factors before the attack. "During and after the attack," in chapter fourteen, examines some audit and detection and some Web security. Continuing with the militaristic imagery, part five wants to give us an "order of battle" for infowar. Chapter fifteen's "big picture" is more on risk assessment. The definition of infowar, in chapter sixteen, is vague, generic, and limited in scope. Malicious code is described as a type of virus in chapter seventeen, rather than virus being a subset of the class of malicious software. More infowar details, and a general model of military intelligence, bog down in a weird architecture model. "Methods of Employment," in chapter eighteen, is probably more useful if you want to attack somebody. Public key infrastructure, in chapter nineteen, reprises chapter nine. Chapter twenty's look at cryptography and politics concentrates on US regulations and cases, with little philosophical discussion of the issues. The appendices that close the book are of limited use. For example, the "annotated bibliography" is not annotated, and contains a number of general press articles and news stories. While there is some useful material in this text, the entire work requires a wholesale reordering to be of any value. A solid restructuring along topical lines would allow a great deal of extraneous verbiage to be discarded. A disciplined adherence to the topic at hand would make the valuable content much more accessible to the target audience. As it is, the book joins a long line of similar, and similarly disorganized, "guides" that do not really help the non- specialist. copyright Robert M. Slade, 2000 BKDYDAAH.RVW 20000515