Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private> BKISBPBR.RVW 20021215 "Information Security Best Practices", George L. Stefanek, 2002, 1-878707-96-5 %A George L. Stefanek %C 225 Wildwood Street, Woburn, MA 01801 %D 2002 %G 1-878707-96-5 %I Butterworth-Heinemann/CRC Press/Digital Press %O 800-366-BOOK fax: 1-617-933-6333 dp-catalogat_private www.bh.com/bh/ %O http://www.amazon.com/exec/obidos/ASIN/1878707965/robsladesinterne %P 194 p. + CD-ROM %T "Information Security Best Practices: 205 Basic Rules" The preface states that this book contains rules for a, possibly novice, system administrator and manager to provide a basic level of security for an organization. Chapter one lists a few (well, eleven) attacks on information systems. These are rather simple; the virus definition is quite old (there is no mention of macro or email viruses) and worms are depicted in terms of memory exhaustion; and it is difficult to see what purpose they serve. The generic structure of an attack or intrusion is described in chapter two. The initial discussion of policy, in chapter three, is limited to the advice that you have one. This recommendation is expanded in chapter four, which does provide some reasonable points on creating a policy. A few of the "rules" have been given in the earlier chapters, but chapter five, on network architecture and design, begins what is obviously the body of the book. Some of the advice is questionable, such as the commandment to limit firewall selection to those products that carry the NCSA stamp of approval. (The NCSA approval has some value, but is far from definitive, and, in any case, the group morphed into the ICSA many years ago, and is now TruSecure.) By and large the material, and that which follows, is reasonable and would help to improve the security of any enterprise, although it is quite limited. The remaining chapters cover physical security, PCs (tersely), Internet security, application development, software validation, configuration management, network monitoring, maintenance and troubleshooting, and training. The advice about hardware selection (in chapter six), is restricted to "motherhood" type rules which are vague and would be hard to follow. The chapters on network hardware (eight) and operating systems (nine) both recommend that there be a C2 level rating for routers and servers, although the "orange book" specifications are no longer considered standards (and in spite of the fact that Windows NT 3.51 got a C2 rating--on condition that it was not connected to a network). Encryption, in chapter fourteen, is supposed to be "strong," although there is little information on how to measure strength. (In fact, a key length of 128 bits is mandated, despite the fact that this is far too short for asymmetric systems, and longer than triple DES [Data Encryption Standard].) The suggested actions in case of attack, in chapter nineteen, are rather drastic: spam should be addressed by killing email service, and a denial of service attack should be responded to by disconnecting from the net. Overall, this does have value as a "quick and dirty" set of guidelines for administrators who do not have formal security training and experience. The book is short, and thus easily readable for busy people. While security professionals may cringe at the simplistic nature of some recommendations, the rules can help improve the security of a system that would otherwise have none. As long as the reader does not gain a false sense that he has implemented proper security. copyright Robert M. Slade, 2002 BKISBPBR.RVW 20021215 -- ====================== rsladeat_private rsladeat_private sladeat_private p1at_private Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/ Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458): March 31, 2003 Indianapolis, IN - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:23:55 PST