BKINSCMI.RVW 20030321 "Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3, U$44.99/C$69.99 %A Kevin Day %C One Lake St., Upper Saddle River, NJ 07458 %D 2003 %G 0-13-111829-3 %I Prentice Hall %O U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0131118293/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0131118293/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0131118293/robsladesin03-20 %P 309 p. %T "Inside the Security Mind: Making the Tough Decisions" I am quite sympathetic to the idea that the realization of a security mindset or attitude (I frequently refer to it as professional paranoia) is more important to attaining security than isolated technical skills. I'm sorry to say that this work is not likely to help you find, attain, or assess that protection perspective. Right from the beginning of the book, readers will find a flavour of eastern philosophy, and even mysticism, to it. There are four virtues, an eight-fold path, and even repeated injunctions for the reader to keep an "open mind"--a phrase which those who have conversed with devotees of the Buddhist faith will find rather familiar. Unfortunately, chapter one seems to demonstrate that Day is bringing us only a newage vagueness in his description of the security mind. We are to rid ourselves of negative thoughts, and follow fundamental virtues, which we haven't been given yet. Computer security is only a decade old, we are told in chapter two, and constantly changing, and expensive, and there are few practitioners, and lots of bad guys out there, and we are paralyzed by fear--but we have nothing to fear but fear itself! Chapter three finally lists the four virtues for us: security is ongoing, a group effort, requires a generic approach, and is dependent upon education. I don't disagree with any of these points (other than the philological debate about whether they should be called virtues), and neither would any other security professional. However, they don't really provide us with much in the way of help. Eight security "rules," in chapter four, list principles such as "least privilege," which are also commonly known in security work. Chapter five is supposed to tell us how to develop a security mind, but actually seems to be an exercise in wishful thinking. If the world were neatly divided into safe and unsafe zones, and if our systems all worked perfectly and in correspondence with our users' known requirements, and if everyone that we trusted were completely competent in regard to their own defence, security would be much easier. Decision-making is likewise simplistically seen to be supported by the virtues and rules, in chapter six. There is a superficial overview of blackhats and vulnerabilities in chapter seven. Chapter eight has a standard review of risk analysis. Vague ideas on hiring security, and some thoughts on outsourcing, are in chapter nine. The author gives his opinion on some security tools in chapter ten. Chapter eleven is another attempt to prove that the rules can be used. We are given a final adjuration to change our attitudes in chapter twelve. Basically, this book is yet another attempt to write a general security guide, without first ensuring that the material is structured, sound, complete, or useful. copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321