The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first. | |
 |
Home Recent reviews Collected book news Welcome to this site Add your own book |
Book details of 'Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves'
| Title | Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves |
| Author(s) | Randall K. Nichols, Daniel J. Ryan, Julie J. C. H. Ryan, William E., Jr. Baugh, Arthur W., Jr. Coviello |
| ISBN | 0072122854 |
| Language | English |
| Published | January 2000 |
| Publisher | McGraw-Hill Osborne Media |
Back to shelf Computer security
Amazon.com info for Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves
The Virtual Bookcase Reviews of 'Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves':
Reviewer amazon.com wrote:Computer security holds a unique position among information technology disciplines. Because threats to systems are so numerous and varied, you can spend years studying them (and general strategies for counteracting them) before you start to work with specific security tools. Defending Your Digital Assets Against Hackers, Crackers, Spies and Thieves is a guide to computer security that remains one step back from security software itself. In place of specific how-to information, readers learn about the motives of online attackers and the strategies they use to gain unauthorized access to systems and data, plus overarching concepts like public-key cryptography. They also find out about defensive and forensic strategies for preventing attacks and limiting their potency when they occur. The authors of this book--a cryptographer, a couple of mathematicians, and a handful of others--employ a very text-heavy presentation style that's best suited to attentive study. The prose tends to be dense and a bit academic, and certain conceptual diagrams approach inscrutability. Still, security is a complicated matter, and a simplistic treatment wouldn't be as useful. It's possible to scan the index for a topic that interests you--keystroke biometrics, say--and find a definition and a statement of pros and cons. You'll also find endnote references to more specialized works but little mention of software products that implement the ideas the authors explain. --David Wall Topics covered: Computer and network security, including risk management, security policy, cryptography, access control, authentication, biometrics, actions to be taken during an attack, and case studies of hacking and information warfare.
Reviewer Rob Slade wrote:
In the preface, the authors decide to define their own terms their own way. For example, hackers break into computers for the thrill of it, while crackers break in for profit. They also state that there is a tension between securing a network and managing it, ignoring the fact that most people see security as a management issue. Later, in the first chapter, the "authors apologize for being a little informal" in what they say. Aside from the lack of any reason given for the necessity of this "informality" it certainly appears to be much more appropriate to call it disorganization and a lack of discipline. The book is supposed to be aimed at executives and managers, rather than security specialists, or is intended to be used as the text for a graduate information security course. Again, leaving aside the inherent contradiction in that assertion, the material in this work is not just careless, but so seriously flawed that any manager relying on it (let alone the poor grad student) is going to be seriously misled in places. Part one purports to be an overall introduction. Chapter one starts with digital espionage and throws around lots of scary numbers and names. Unfortunately, the text lacks any analysis of the reports being cited, most of which seem to be opinion surveys, and some of which contradict each other. (Attacks are said to number in the hundreds per day in one account, while another [from the NSA] asserts 250 per year, and yet a third [from the FCIRC] states 244--for the same year.) The text is also extremely confused and appears to be almost deliberately unstructured: one paragraph starts talking about fraud and then covers the Morris Internet Worm, the only link being that Morris was prosecuted under the Computer Fraud and Abuse Act. Explanations are careless: the venerable Crack security tool is said to "attack" computers. The material is very disorganized, and if you can trace a common thread through a section of the text you will find that most of the content is peripheral to it. Chapter two is supposed to cover information security (infosec, in the book's jargon), but instead continues to regale us with stories of digital espionage (DE) and infowar. (Except for a seemingly pointless digression into Hurricane Andrew.) Part two is to present us with infosec concepts. Chapter three, somewhat surprisingly, does give us a decent "Common Body of Knowledge" overview and threat list, along with some risk management and infosec architecture. A serviceable discussion of policy, with some time out for US fed bashing, is in chapter four. Privacy, in chapter five, is not covered well: we have a flatly inflammatory definition of a "cookie," and ten pages of unsupported tables and odd graphs which eventually reveal that some people want privacy and others want to collect data. (Big surprise.) Chapter six talks about security system certification and verification. Part four touches on practical infosec. Chapter seven gives a decent outline of cryptography, with a good comparison of strength, but a huge "analysis" of key recovery and escrow systems shows only that some like it and some don't. Access control systems are covered in chapter eight. Digital signatures and certificate authorities are reviewed in chapter nine: the web of trust model is mentioned, but not analyzed or used in the material. Chapter ten is a confused discussion of permission management, concentrating primarily on e-commerce and the Web. Various factors in Virtual Private Networks (VPN) are listed in chapter eleven. Some biometric methods are described in chapter twelve. Part four does not really deal with business continuity and recovery, but emphasizes "event management." Chapter thirteen looks at general security factors before the attack. "During and after the attack," in chapter fourteen, examines some audit and detection and some Web security. Continuing with the militaristic imagery, part five wants to give us an "order of battle" for infowar. Chapter fifteen's "big picture" is more on risk assessment. The definition of infowar, in chapter sixteen, is vague, generic, and limited in scope. Malicious code is described as a type of virus in chapter seventeen, rather than virus being a subset of the class of malicious software. More infowar details, and a general model of military intelligence, bog down in a weird architecture model. "Methods of Employment," in chapter eighteen, is probably more useful if you want to attack somebody. Public key infrastructure, in chapter nineteen, reprises chapter nine. Chapter twenty's look at cryptography and politics concentrates on US regulations and cases, with little philosophical discussion of the issues. The appendices that close the book are of limited use. For example, the "annotated bibliography" is not annotated, and contains a number of general press articles and news stories. While there is some useful material in this text, the entire work requires a wholesale reordering to be of any value. A solid restructuring along topical lines would allow a great deal of extraneous verbiage to be discarded. A disciplined adherence to the topic at hand would make the valuable content much more accessible to the target audience. As it is, the book joins a long line of similar, and similarly disorganized, "guides" that do not really help the non- specialist. copyright Robert M. Slade, 2000
Add my review for Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves