BKINTRSC.RVW 971122 "Intranet Security: Stories from the Trenches", Linda McCarthy, 1998, 0-13-894759-7, U$29.95/C$41.95 %A Linda McCarthy %C One Lake St., Upper Saddle River, NJ 07458 %D 1998 %G 0-13-894759-7 %I Prentice Hall %O U$29.95/C$41.95 800-576-3800 201-236-7139 fax: +1-201-236-7131 %O betsy_carey@prenhall.com %P 260 p. %T "Intranet Security: Stories from the Trenches" Data security is more than somewhat akin to the weather. Many people talk a good line about how important it is to their company, but few invest the time, money, vigour, and rigour to make it really effective. There are some very good, practical, computer security books on the market. Leaving aside the really bad ones, though, there are also a great number of works that take a rather pompous academic approach to the concepts only, leaving the actual details of real dangers and protection as an exercise to the reader. McCarthy takes a different tack. Each chapter in this book is an authentic case study, with the names changed to protect the unfortunate. While this means that the text can't be easily used as a reference, with quick indexing of specific tasks, the content is firmly based in the real world, and informed with the author's insights into how people actually do react in an emergency. Techies may be unhappy with the lack of technical details in the inquiries. Too bad. Security is much more of a management issue than a technical one, and the stories show that clearly. The result is, therefore, much closer to "Digital Woes" (cf. BKDGTLWO.RVW) or "Computer-Related Risks" (cf. BKCMRLRS.RVW) than, say, "Practical UNIX and Internet Security" (cf. BKPRUISC.RVW). The book is also very readable. The chapters follow a format that includes a fictional worst case scenario, then presents the incident itself, gives a summary of the problems that led to the predicament, and finally suggestions for avoiding the trouble. The text is almost light, and loaded with personal entries both as observations of company situations and lively trivia. (I, too, have a sister much younger than I am.) Each investigation is chosen with a view to emphasizing a particular security problem or issue. Chapter one shows that without an incident response procedure, and exception report communications, even detection of attacks can fail to protect the enterprise. The danger of shrink-wrapped, out-of-the-box solutions is demonstrated in chapter two. As I noted at the beginning, data security gets a lot of lip service, particularly from management. Chapter three reveals the wrong way for executives to promote security--and also tells you how to do it right. Security requires a cooperative effort, as chapter four points out, and failure to specify areas of responsibility can result in loopholes and vulnerabilities. Chapter five looks at another area that gets more speeches than spending--training. Risk assessment, and the risk of not assessing risks, is the theme of chapter six. Where chapter four looks at the negligence in determining roles with respect to security, chapter seven finds that drawing the lines too finely can also result in gaps in coverage and protection. Over the years I have railed against antivirus procedures that are not effective because they are too draconian for people to actually use if they want to get work done. Chapter eight discloses the problem with unrealistic policies in any field of security. As chapters four and seven point out the potential difficulties where individual partners each leave security to the other, so chapter nine demonstrates the same problem between companies doing business together. Chapter ten points out the importance of encryption--the backbone of all data security--in every area of corporate activity. Finally, the techies can be happy with chapter eleven. It gives a detailed log of a system penetration. I will forgive McCarthy her use of the term "hacker" (she does mention the hacker/cracker controversy) for someone bent on security breaking, since she so forcefully derides the image of the invader as an "evil genius." An appendix provides contact information for tools, products, incident response teams, and security organizations. I was rather disappointed to find that Internet references for a number of the tools do not specify full location information, that relatively few security organizations are listed, that the antiviral systems mentioned are not of the top rank, and, most important of all, none of the international emergency response teams are from Canada. This book belongs on every security and management bookshelf. For the non-specialist manager, it provides enough background to prompt the right questions and concerns. For the head down data security specialist ... when was it you needed to make that pitch to the executive committee? copyright Robert M. Slade, 1997 BKINTRSC.RVW 971122