Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

REVIEW: "Enterprise Information Security", Peter Gregory

From: InfoSec News <isn () c4i org>
Date: Mon, 6 Jan 2003 00:58:57 -0600 (CST)
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKENINSE.RVW   20020916

"Enterprise Information Security", Peter Gregory, 2003, 0-273-66157-4,
C$19.99/UK#156.99
%A   Peter Gregory peter.gregory () hartgregorygroup com
%C   London, UK
%D   2003
%G   0-273-66157-4
%I   Prentice Hall/Financial Times
%O   C$19.99/UK#156.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0273661574/robsladesinterne
%P   145 p.
%T   "Enterprise Information Security: Information security for
      non-technical decision makers"

The executive summary states that this book is intended to present
information security to executives.  The introduction certainly shows
that it isn't intended for technical people, who would ask what the
difference was between access over the Internet and remote access, or
a network using TCP/IP and the Internet.

Chapter one asserts that the events of September 11, 2001 woke
executives up to the importance of security.  (Yeah, right.)  However,
there is a good analysis of the reasons that the Code Red/Nimda worm
was successful.  The definition of a threat, in chapter two, is pretty
bad, and the definitions of various types of malicious software are
really bad.  The section on hacking lists a variety of attacks (heavy
on social engineering), the "hacker profiles" concentrate on system
exploits, there is a random list of security problems, and then an
surprisingly good definition of vulnerability.  Authentication and
authorization are reasonably handled, but confused with extraneous
details in chapter three.  Access control is equated with firewalls,
and the discussion of cryptography is all right but full of minor
errors.  (RC 2 and RC 4 have been compromised, Skipjack has been
released for limited review, a digital signature does need a key but
not necessarily an additional password, the loss of a key is not
sufficient to repudiate a digital signature, and the ping-of-death
does not compromise integrity.)  The material on antivirus protection
refers only to scanning, and the material on audit deals only with
logs.  Chapter four is supposed to be about policies, but actually
concentrates on procedures, containing random thoughts and many gaps. 
People are the weak link in security, we are told in chapter five,
and, as with other sections it uses non-standard terms in the
discussion.  More haphazard thoughts are in chapter six, while chapter
seven has a poor definition of privacy and a grab bag of topics.  In
chapter eight a casual list of topics seem to be indiscriminately
assigned to the standard important/urgent quadrant chart.

OK, this is not intended for professionals; it is intended for
managers.  But, even if we give full reign to the usual jokes -- those
who can't, do; those who are incapable of mastering anything, go into
management -- it's still bad form to deliberately mislead them this
way.

copyright Robert M. Slade, 2002   BKENINSE.RVW   20020916

-- 
======================
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
    February 10, 2003   February 14, 2003   St. Louis, MO
    March 31, 2003      April 4, 2003       Indianapolis, IN




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: