[ISN] REVIEW: "Enterprise Information Security", Peter Gregory

From: InfoSec News (isnat_private)
Date: Sun Jan 05 2003 - 22:58:57 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - January 3rd 2003"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKENINSE.RVW   20020916
    "Enterprise Information Security", Peter Gregory, 2003, 0-273-66157-4,
    %A   Peter Gregory peter.gregoryat_private
    %C   London, UK
    %D   2003
    %G   0-273-66157-4
    %I   Prentice Hall/Financial Times
    %O   C$19.99/UK#156.99 +1-201-236-7139 fax: +1-201-236-7131
    %O  http://www.amazon.com/exec/obidos/ASIN/0273661574/robsladesinterne
    %P   145 p.
    %T   "Enterprise Information Security: Information security for
          non-technical decision makers"
    The executive summary states that this book is intended to present
    information security to executives.  The introduction certainly shows
    that it isn't intended for technical people, who would ask what the
    difference was between access over the Internet and remote access, or
    a network using TCP/IP and the Internet.
    Chapter one asserts that the events of September 11, 2001 woke
    executives up to the importance of security.  (Yeah, right.)  However,
    there is a good analysis of the reasons that the Code Red/Nimda worm
    was successful.  The definition of a threat, in chapter two, is pretty
    bad, and the definitions of various types of malicious software are
    really bad.  The section on hacking lists a variety of attacks (heavy
    on social engineering), the "hacker profiles" concentrate on system
    exploits, there is a random list of security problems, and then an
    surprisingly good definition of vulnerability.  Authentication and
    authorization are reasonably handled, but confused with extraneous
    details in chapter three.  Access control is equated with firewalls,
    and the discussion of cryptography is all right but full of minor
    errors.  (RC 2 and RC 4 have been compromised, Skipjack has been
    released for limited review, a digital signature does need a key but
    not necessarily an additional password, the loss of a key is not
    sufficient to repudiate a digital signature, and the ping-of-death
    does not compromise integrity.)  The material on antivirus protection
    refers only to scanning, and the material on audit deals only with
    logs.  Chapter four is supposed to be about policies, but actually
    concentrates on procedures, containing random thoughts and many gaps. 
    People are the weak link in security, we are told in chapter five,
    and, as with other sections it uses non-standard terms in the
    discussion.  More haphazard thoughts are in chapter six, while chapter
    seven has a poor definition of privacy and a grab bag of topics.  In
    chapter eight a casual list of topics seem to be indiscriminately
    assigned to the standard important/urgent quadrant chart.
    OK, this is not intended for professionals; it is intended for
    managers.  But, even if we give full reign to the usual jokes -- those
    who can't, do; those who are incapable of mastering anything, go into
    management -- it's still bad form to deliberately mislead them this
    copyright Robert M. Slade, 2002   BKENINSE.RVW   20020916
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
        February 10, 2003   February 14, 2003   St. Louis, MO
        March 31, 2003      April 4, 2003       Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 08:36:11 PST