BKFICMCR.RVW 981106 "Fighting Computer Crime", Donn B. Parker, 1998, 0-471-16378-3, U$34.99/C$49.50 %A Donn B. Parker dparker@sric.sri.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1998 %G 0-471-16378-3 %I John Wiley & Sons, Inc. %O U$34.99/C$49.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com %O http://www.amazon.com/exec/obidos/ASIN/0471163783/robsladesinterne %P 512 p. %T "Fighting Computer Crime: A New Framework for Protecting Information" Parker feels that too much of the data security field concentrates on technical answers to the problems of reliability, integrity, and availability of data, and doesn't pay sufficient attention to those people who are deliberately out to read, steal, or ruin your information and systems. Personally, I find it rather ironic that he defines "crimoids," in chapter one, as minor events promoted to much higher significance by the media, and public misperceptions. In the non-specialist realm, more people spend more time worrying about "hackers" than ever back up their drives. (I am reminded of a friend; an intelligent and educated person who started his career programming large and sophisticated information systems and who has now risen to the executive ranks; who has for years refused to get a modem for his home computer. In spite of his frequently expressed desire for access to the Internet, and my repeated assurances that with his current computer and operating system there is no hidden danger, he remains convinced that the mere attachment of a modem to his machine will allow someone to break into his computer and damage it.) Who, then, is this book written for? The author does not say, but what he does say in the preface seems to indicate that he is not writing for those whose business cards make reference to security. (I have neither argument nor inclination to dispute Parker's assertion that security "professionals" do not really deserve the designation.) But if this text is aimed at the general public, chapter one's emphasis on the dangers and lack of protection would seem more inclined to incite further panic, rather than a realistic and measured response. Chapter two is an interesting and useful examination of an often unasked question in the field: what is the nature of the information we are supposedly securing? There are valuable side points, such as both the danger and the opportunity in the security arena presented by the Year 2000 problem. At the same time, I have to note that an erroneous description of the Cascade virus is an example of Parker's asserting points that are just beyond the available facts, and, for me anyway, has an unfortunate effect on the trustworthiness of the work as a whole. The review of cybercrime, in chapter three, has more reference to journalism and other forms of fiction than to reality, but I have to agree with everything said there. Computer misuse and abuse is discussed in chapter four. (As if to make up for chapter two, the section on viruses is very good.) Network misuse is covered in chapter five, and although I still have trouble believing in the reality of salami attacks (Parker's sole example is said to have resulted in a conviction, but no citation is given) I am a bit more willing to accept his broader definition. Chapter six is extremely strong in portraying a realistic and broadly based analysis of characteristics of computer criminals. A similarly informed and balanced approach distinguishes chapter seven, regarding hacker culture, but there is also a universally condemnatory tone that is not wholly justified by the facts as presented. Chapter eight is a very helpful first step for those wanting to deal in the art of computer security. Chapter nine reviews the deficiencies in most current security practices, noting overprotection in some areas while ignoring loopholes in others, and a flowery jargon that serves mostly to hide the fact that security people just don't feel very comfortable with what is going on. However, Parker's new model of security, in chapter ten, while it is very clear and useful, does not extend recent work in, say, electronic commerce. On the one hand, this congruence does support the model, but on the other, one can't really say it is too novel. The popular, but demonstrably incomplete, risk assessment study is de-emphasized in favour of a more difficult, but more realistic, baseline security standard in chapter eleven. Details on how to conduct such a study are very helpfully given in chapter twelve, although the benchmark chart is going to be much harder to come by than is made clear in the text. Chapter thirteen provides a practical and useful set of criteria for determining control objectives. A number of security tactics are detailed in chapter fourteen. Chapter fifteen takes the larger strategic view. (I was delighted to see the inclusion of a section on corporate ethics in this chapter. Recently I contracted to produce a security document for an educational institution, and was told to take the section on ethics out.) Management of security, in chapter sixteen, includes provisions for training, policy, and other factors. Chapter seventeen finishes off with a look to the future. The material, while thought- provoking, is possibly more likely to generate arguments than solutions. Parker's stance on security in general definitely puts him in the camp of the professional paranoids. However, absent the first and last chapters, there is a lot of good, solid knowledge here to help educate any security practitioner. The material in the second half of the book is just as valuable to the security process as the more technical works such as "Practical UNIX and Internet Security" (cf. BKPRUISC.RVW) by Spafford and Garfinkel, albeit in quite a different way. An informed security policy is every bit as important as a good set of "access" controls. copyright Robert M. Slade, 1998 BKFICMCR.RVW 981106