BKISGFPD.RVW 20010605 "The Internet Security Guidebook", Juanita Ellis/Timothy Speed, 2001, 0-12-237471-1, U$44.95 %A Juanita Ellis %A Timothy Speed tim.speed@home.com %C 525 B Street, Suite 1900, San Diego, CA 92101-4495 %D 2001 %G 0-12-237471-1 %I Academic Press %O U$44.95 619-231-0926 800-321-5068 fax: 619-699-6380 %P 320 p. %T "The Internet Security Guidebook: From Planning to Deployment" The introduction outlines some of the basic types of attacks that can happen over the Internet, and seems to concentrate on attacks against machines, rather than people or companies. This emphasis on the technical is odd, since the material provides very few technical details, but does contain more than a little error and confusion. The text of the book doesn't mention a specific target audience, although the jacket notes seem to promote the work to CEOs and other senior executives. Which is odd: the writing level seems more appropriate to the home user. Chapter one is an overview of security planning. Most of the important parts of preparation are included, but the chapter structure and even the figures are very confusing. There are many gaps in the discussion of security reviews, and a number of odd and apparently misplaced items have been inserted. Encryption is covered simplistically, and the lack of depth in the material becomes a problem in the chapter on network security. After twelve pages that *don't* explain the Internet and OSI (Open Systems Interconnection) models of networking, the text attempts to deal with a number of Internet security tools, most of which rely on encryption and key exchange. There are frequent errors and the sections sometimes even provide contradictory and nonsensical explanations, such as the statement that "unencoded" means both "not encrypted" and "not as plain text." The basic outline of firewalls is better than is provided in most general guides, although the description of circuit- level gateways keeps referring to "stateful inspection" without ever explaining what that is. The long evaluation section is, unfortunately, the usual for this type of book: it does provide most of the right questions to ask, but doesn't give the novice reader much help in analyzing the answers. Authentication is a very important topic in security, and it is too bad that the material on this subject is so confused, and confusing. I find it very difficult to reconcile the statement that there are "very few examples" of biometrics with the existence of a great many fingerprint, palm geometry, iris, voiceprint, and even face readers. The depiction of Kerberos is wrong in some basic aspects, does not address the fundamental problems with the Microsoft version, and does not relate in any way to the very closely associated topic of single sign-on that immediately follows. The discussion of PKI (Public Key Infrastructure) does do well in covering the "build or buy" debate for a certificate authority. Directory issues are not handled particularly well, and there are other errors. (Excuse me? The Internet didn't exist before the mid- 1980s?) The chapter on messaging security is a real grab bag of topics, none of which, with the possible exception of acceptable use, are covered in sufficient depth. (Viruses and trojans get lumped into this chapter, and the commentary is quite sloppy.) The basic outline of risk analysis, including threat, impact, and probability, is good, but the supporting material is not quite standard, and probably not very helpful to the target audience. The chapter also fails to point out the full scope of such an appraisal, as well as the importance of looking at the aggregate risk. On the other hand, the review of policy and procedures hardly seems to address policy creation at all. This is another miscellaneous compendium of vulnerabilities, diving into specifics and missing the bigger picture. The material on incident response is generic, but does point out the foundational concepts. There is little detail, and the text does concentrate on dealing with events by severity, rather than by type. The book closes off with an ordinary presentation on project planning. I would be the first to admit that security can be a dry topic, and a little humour can help to spice up the text. However, I am willing to make an exception in the case of this book. The jokes added to the text do nothing to improve it. They are intrusive, distracting, and do not, in any way, help the reader to understand the topics under discussion. Indeed, the attempts at comedy generally sidetrack the reader from the central issues of the work, and simply confuse any issue under discussion. If this text is aimed at executive management, it definitely needs to be tightened up and reorganized to eliminate duplicated material and ensure the structure and arguments are easier to follow. Many points raised throughout the work are important, but a number of vital issues are not addressed, and the patchwork of writing level and quality of information probably means that this is unsuitable as an only introduction to security. The Internet, in fact, is not really a major concern in this book, although it does get mentioned from time to time. I would have difficulty in suggesting a group that would benefit from this book, although it might serve as an adjunct text to the security planning process, if ideas were being culled from multiple sources. copyright Robert M. Slade, 2001 BKISGFPD.RVW 20010605