[ISN] REVIEW: "Fighting Computer Crime", Donn B. Parker

From: mea culpa (jerichoat_private)
Date: Wed Feb 10 1999 - 18:58:18 PST

  • Next message: mea culpa: "[ISN] Freedom 1.0 Guarantees Online Anonymity"

    Forwarded From: "Rob Slade" <sladeat_private>
    
    BKFICMCR.RVW   981106
    
    "Fighting Computer Crime", Donn B. Parker, 1998, 0-471-16378-3,
    U$34.99/C$49.50
    %A   Donn B. Parker dparkerat_private
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   1998
    %G   0-471-16378-3
    %I   John Wiley & Sons, Inc.
    %O   U$34.99/C$49.50 416-236-4433 fax: 416-236-4448 rlangloiat_private
    %P   512 p.
    %T   "Fighting Computer Crime: A New Framework for Protecting
          Information"
    
    Parker feels that too much of the data security field concentrates on
    technical answers to the problems of reliability, integrity, and
    availability of data, and doesn't pay sufficient attention to those people
    who are deliberately out to read, steal, or ruin your information and
    systems.  Personally, I find it rather ironic that he defines "crimoids,"
    in chapter one, as minor events promoted to much higher significance by
    the media, and public misperceptions.  In the non-specialist realm, more
    people spend more time worrying about "hackers" than ever back up their
    drives.  (I am reminded of a friend;  an intelligent and educated person
    who started his career programming large and sophisticated information
    systems and who has now risen to the executive ranks; who has for years
    refused to get a modem for his home computer.  In spite of his frequently
    expressed desire for access to the Internet, and my repeated assurances
    that with his current computer and operating system there is no hidden
    danger, he remains convinced that the mere attachment of a modem to his
    machine will allow someone to break into his computer and damage it.) 
    
    Who, then, is this book written for?  The author does not say, but what he
    does say in the preface seems to indicate that he is not writing for those
    whose business cards make reference to security.  (I have neither argument
    nor inclination to dispute Parker's assertion that security
    "professionals" do not really deserve the designation.) But if this text
    is aimed at the general public, chapter one's emphasis on the dangers and
    lack of protection would seem more inclined to incite further panic,
    rather than a realistic and measured response. 
    
    Chapter two is an interesting and useful examination of an often unasked
    question in the field: what is the nature of the information we are
    supposedly securing?  There are valuable side points, such as both the
    danger and the opportunity in the security arena presented by the Year
    2000 problem.  At the same time, I have to note that an erroneous
    description of the Cascade virus is an example of Parker's asserting
    points that are just beyond the available facts, and, for me anyway, has
    an unfortunate effect on the trustworthiness of the work as a whole.  The
    review of cybercrime, in chapter three, has more reference to journalism
    and other forms of fiction than to reality, but I have to agree with
    everything said there.  Computer misuse and abuse is discussed in chapter
    four.  (As if to make up for chapter two, the section on viruses is very
    good.)  Network misuse is covered in chapter five, and although I still
    have trouble believing in the reality of salami attacks (Parker's sole
    example is said to have resulted in a conviction, but no citation is
    given) I am a bit more willing to accept his broader definition.  Chapter
    six is extremely strong in portraying a realistic and broadly based
    analysis of characteristics of computer criminals.  A similarly informed
    and balanced approach distinguishes chapter seven, regarding hacker
    culture, but there is also a universally condemnatory tone that is not
    wholly justified by the facts as presented.  Chapter eight is a very
    helpful first step for those wanting to deal in the art of computer
    security. 
    
    Chapter nine reviews the deficiencies in most current security practices,
    noting overprotection in some areas while ignoring loopholes in others,
    and a flowery jargon that serves mostly to hide the fact that security
    people just don't feel very comfortable with what is going on.  However,
    Parker's new model of security, in chapter ten, while it is very clear and
    useful, does not extend recent work in, say, electronic commerce.  On the
    one hand, this congruence does support the model, but on the other, one
    can't really say it is too novel.  The popular, but demonstrably
    incomplete, risk assessment study is de-emphasized in favour of a more
    difficult, but more realistic, baseline security standard in chapter
    eleven.  Details on how to conduct such a study are very helpfully given
    in chapter twelve, although the benchmark chart is going to be much harder
    to come by than is made clear in the text.  Chapter thirteen provides a
    practical and useful set of criteria for determining control objectives. 
    A number of security tactics are detailed in chapter fourteen.  Chapter
    fifteen takes the larger strategic view.  (I was delighted to see the
    inclusion of a section on corporate ethics in this chapter.  Recently I
    contracted to produce a security document for an educational institution,
    and was told to take the section on ethics out.)  Management of security,
    in chapter sixteen, includes provisions for training, policy, and other
    factors.  Chapter seventeen finishes off with a look to the future.  The
    material, while thought- provoking, is possibly more likely to generate
    arguments than solutions. 
    
    Parker's stance on security in general definitely puts him in the camp of
    the professional paranoids.  However, absent the first and last chapters,
    there is a lot of good, solid knowledge here to help educate any security
    practitioner.  The material in the second half of the book is just as
    valuable to the security process as the more technical works such as
    "Practical UNIX and Internet Security" (cf.  BKPRUISC.RVW) by Spafford and
    Garfinkel, albeit in quite a different way.  An informed security policy
    is every bit as important as a good set of "access" controls. 
    
    copyright Robert M. Slade, 1998 BKFICMCR.RVW 981106
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:39 PDT