[ISN] REVIEW: "Information Security Best Practices", George L. Stefanek

From: InfoSec News (isnat_private)
Date: Thu Jan 30 2003 - 00:47:22 PST

  • Next message: InfoSec News: "[ISN] Security UPDATE, January 29, 2003"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKISBPBR.RVW   20021215
    "Information Security Best Practices", George L. Stefanek, 2002,
    %A   George L. Stefanek
    %C   225 Wildwood Street, Woburn, MA  01801
    %D   2002
    %G   1-878707-96-5
    %I   Butterworth-Heinemann/CRC Press/Digital Press
    %O   800-366-BOOK fax: 1-617-933-6333 dp-catalogat_private www.bh.com/bh/
    %O  http://www.amazon.com/exec/obidos/ASIN/1878707965/robsladesinterne
    %P   194 p. + CD-ROM
    %T   "Information Security Best Practices: 205 Basic Rules"
    The preface states that this book contains rules for a, possibly
    novice, system administrator and manager to provide a basic level of
    security for an organization.
    Chapter one lists a few (well, eleven) attacks on information systems. 
    These are rather simple; the virus definition is quite old (there is
    no mention of macro or email viruses) and worms are depicted in terms
    of memory exhaustion; and it is difficult to see what purpose they
    serve.  The generic structure of an attack or intrusion is described
    in chapter two.  The initial discussion of policy, in chapter three,
    is limited to the advice that you have one.  This recommendation is
    expanded in chapter four, which does provide some reasonable points on
    creating a policy.
    A few of the "rules" have been given in the earlier chapters, but
    chapter five, on network architecture and design, begins what is
    obviously the body of the book.  Some of the advice is questionable,
    such as the commandment to limit firewall selection to those products
    that carry the NCSA stamp of approval.  (The NCSA approval has some
    value, but is far from definitive, and, in any case, the group morphed
    into the ICSA many years ago, and is now TruSecure.)  By and large the
    material, and that which follows, is reasonable and would help to
    improve the security of any enterprise, although it is quite limited. 
    The remaining chapters cover physical security, PCs (tersely),
    Internet security, application development, software validation,
    configuration management, network monitoring, maintenance and
    troubleshooting, and training.  The advice about hardware selection
    (in chapter six), is restricted to "motherhood" type rules which are
    vague and would be hard to follow.  The chapters on network hardware
    (eight) and operating systems (nine) both recommend that there be a C2
    level rating for routers and servers, although the "orange book"
    specifications are no longer considered standards (and in spite of the
    fact that Windows NT 3.51 got a C2 rating--on condition that it was
    not connected to a network).  Encryption, in chapter fourteen, is
    supposed to be "strong," although there is little information on how
    to measure strength.  (In fact, a key length of 128 bits is mandated,
    despite the fact that this is far too short for asymmetric systems,
    and longer than triple DES [Data Encryption Standard].)  The suggested
    actions in case of attack, in chapter nineteen, are rather drastic:
    spam should be addressed by killing email service, and a denial of
    service attack should be responded to by disconnecting from the net.
    Overall, this does have value as a "quick and dirty" set of guidelines
    for administrators who do not have formal security training and
    experience.  The book is short, and thus easily readable for busy
    people.  While security professionals may cringe at the simplistic
    nature of some recommendations, the rules can help improve the
    security of a system that would otherwise have none.
    As long as the reader does not gain a false sense that he has
    implemented proper security.
    copyright Robert M. Slade, 2002   BKISBPBR.RVW   20021215
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
              March 31, 2003           Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:23:55 PST