BKINFCAH.RVW 20051106 "InfoSec Career Hacking", Aaron W. Bayles et al, 2005, 1-597490-11-3, U$39.95/C$55.95 %A Aaron W. Bayles et al %C 800 Hingham Street, Rockland, MA 02370 %D 2005 %G 1-597490-11-3 %I Syngress Media, Inc. %O U$39.95/C$55.95 781-681-5151 fax: 781-681-3585 amy@syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597490113/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597490113/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597490113/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 441 p. %T "InfoSec Career Hacking: Sell Your Skillz, Not Your Soul" The book seems to want to structure itself along the standard network attack model, and therefore part one is reconnaissance. Chapter one is supposed to define INFOSEC (information security as a career), but seems to do so from the perspective of the Rainbow series books, thus dating itself to the late 80s, and limiting the audience to the US DoD. Standard advice on researching the company you want to work for is given in chapter two. (The infosec specific advice is, again, restricted to the US federal government.) "Enumerate" usually means to collect detailed information on the basis of initial data, but chapter three provides the normal advice on building "networks" of contacts. Common resume, interview, and offer assessment advice is in chapter four. Part two moves on to technical skills. (When I wrote my first book, and asked for advice from people who had done it before, I received one suggestion that I should know what I was talking about first. At the time I was a bit offended, but I've since realized that the admonition was based in broad experience: an awful lot of people in this field really don't know what they are talking about. If you need the skills described in this book, you really have no business pursuing a career in information security.) Chapter five talks about security "laws;" basic security advice. (The text is not always accurate: it is not necessary for properly engineered systems to decrypt or decode passwords in order to perform access control.) Questionable suggestions on tools for an attack lab are given in chapter six, which we will charitably assume indicates an interest in security research. (The content would be of very limited practical value for a career.) Chapter seven contains an overly complex discussion of disclosure. (It may be related to the research in six, and networking in three, but otherwise wouldn't have much to do with a career search.) A few types of attacks are listed in chapter eight. Part three is supposedly about activities on the job. Chapter nine provides miscellaneous system development and project management counsel. Chapter ten is nominally about vulnerability remediation, but concentrates on providing seminars for others, and getting extra training yourself. Incident response, in chapter eleven, is apparently equated with disaster recovery and an inventory of vulnerability assessment tools. Chapter twelve finishes off with a grab bag of leftover topics. This book is full of pedestrian advice that is not terribly useful regardless of where you are in your infosec career. copyright Robert M. Slade, 2005 BKINFCAH.RVW 20051106