IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled



Book Review Categories

CISSP, Security+, ... Information Security Privacy
Cryptography Information Warfare Year 2000 Problem/Millennium Bug
Fiction Network Security  

New Reviews

Beyond Fear, Bruce Schneier, 2003

It is instructive to view this book in light of another recent publication. Marcus Ranum, in "The Myth of Homeland Security" (cf. BKMYHLSC.RVW) complains that the DHS (Department of Homeland Security) is making mistakes, but provides only tentative and unlikely solutions. Schneier shows how security should work, and does work, presenting basic concepts in lay terms with crystal clarity. Schneier does not tell you how to prepare a security system as such, but does illustrate what goes on in the decision-making process.

Read More ...

Wireless Security End to End, Brian Carter/Russell Shumway, 2002

Part one is an introduction to wireless network security. Chapter one is supposed to be an opening to wireless networking, but is basically a list of common protocols. Wireless threat analysis, in chapter two, is an unstructured list of miscellaneous threats. A facile overview of blackhat communities, some intrusion tools, and a discussion of insider attacks (without mention of any relevance to wireless networking) is in chapter three.

Read More ...

Wireless Security Essentials, Russell Dean Vines, 2002

The introduction asserts, as a statement on the rapid pace of technological innovation, that wireless security may have changed between the writing and the publication of the book. It may be an interesting comment on security that the book is still relevant and that wireless security is unchanged in the two years since the book's completion. It may also be a measure of the good job that Vines did on his subject.

Read More ...

Biometrics, Samir Nanavati/Michael Thieme/Raj Nanavati, 2002

Part one deals with the fundamentals of biometrics. Chapter one presents a brief rationale for the use of the technology. Biometric concepts are given in chapter two, but only the most basic. In chapter three's look at accuracy there are standard metrics as well as a few unusual ones (and some non-standard jargon).


Practical Cryptography, Bruce Schneier/Niels Ferguson, 2003

The preface points out that cryptography has done more harm than good in terms of securing information systems, not because cryptography fails in and of itself, but, rather, due to the improper use or implementation of the technology. This book is intended to provide concrete advice to those designing and implementing cryptographic systems. As such, it is not the usual introduction to cryptography, and is aimed at a fairly limited group.


Operational Risk: Regulation, Analysis, and Management, Carol Alexander, 2003

In 1999, the Basel Committee on Banking Supervision (BCBS), spurred by recent bank collapses, started working toward an Accord in regard to risk management. The eventual Accord, also known as Basel II, was not wholly defined, but established three points or "Pillars": that banks establish a capital reserve somewhat commensurate with their total risk, that risk management plans be subject to a supervisory review, and that such plans be disclosed. Operational risk was defined as" the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events."

Read More ...

High Integrity Software, John Barnes, 2003

Once upon a time, a group set out to build a language which would allow you to write programs that could be formally verified. Formal analysis and proof can be used to determine that a program will work the way you want it to, and not do something very weird (usually at an inopportune time). First came the attempt to build the Southampton Program Analysis Development Environment (or SPADE) using a subset of the Pascal programming language. When it was determined that Pascal wasn't really suitable, research was directed to Ada, and the SPADE Ada Kernel, or (with a little poetic licence) SPARK, was the result.

Read More ...

.NET Security and Cryptography", Peter Thorsteinson/G. Gnana Arun Ganesh, 2004

For an ancient linear/procedural dinosaur like myself, it is interesting to see the difference between the prehistoric API (Application Programming Interface) library documentation and the descriptions of the new object-oriented classes. Older books were full of icky things such as usage syntax and required parameters. While this work does contain some sample code, generally with comments that merely repeat what is obvious from the name of the method, most of the material simply consists of mentioning that the methods and classes exist. I can only wonder at the marvels of the new age of programming, where everything is so "intuitive" that correct coding is automatic and inevitable.


Implementing Intrusion Detection Systems, Tim Crothers, 2003

The preface implies that this book is a professional reference for building and maintaining intrusion detection systems (IDSs). I'd say it has a fair way to go before it could make that claim.

Chapter one is an overview of intrusion detection. The basic concepts are all included, but it is often difficult to understand the point that the author is making.

Read More ...

Secrets of Computer Espionage, Joel McNamara, 2003

I suppose one might be able to make a case that this book is about computer espionage, but the contents are hardly secret. The fact that the introduction is decidedly vague about the audience--anyone concerned that someone might want to spy on their data--would lead one to suspect that this is another attempt to jump on a hot bandwagon, without necessarily doing a lot of research first. And, in this case, one would be right.

Read More ...

Secure Coding

Recent events have demonstrated that we are badly in need of guidance in the matter of the construction of secure software (or the safe fabrication of code). This book covers a topic that is very necessary. Unfortunately, the work is insufficient to the task.

Read More ...

Intrusion Detection with Snort, Rafeeq Ur Rehman, 2003

Chapter one is a very simple introduction to intrusion detection and Snort. Beginning with a brief look at topology, chapter two runs through an installation of Snort, but does not provide much in the way of explanation or recommendation at the various points.

Read More ...

Intrusion Signatures and Analysis, Stephen Northcutt et al, 2001

Intrusion detection and network forensics are now vitally important topics in the security arena. An explanation of how to identify dangerous signatures, and extract evidence of an intrusion or attack from network logs, is something that most network administrators require. Unfortunately, while the idea is good, and badly needed, the execution, in the case of the current work, is seriously flawed.

Read More ...

" Securing the Network from Malicious Code", Douglas Schweitzer, 2002

While there is some basic information about viruses and trojans in this work, it isn't clear, good, particularly helpful, or easy to extract from the surrounding verbiage. What content is related to networks has very little to do with securing or protecting them from malware.

Read More ...

" Hack Attacks Testing", John Chirillo, 2003

The description in the introduction seems to indicate that this text might be similar to SATAN (Security Administrator's Tool for Analyzing Networks), in that it explains how to build a set of utilities in order to identify vulnerabilities. As such, there is the possibility that the work is open to a charge of being more useful to attackers than to defenders. Fortunately, the book does not provide a great deal of information that could be used to break into systems. Unfortunately, it doesn't help much with defence, either.

Read More ...

IWS welcomes suggestions regarding site content and usability. Please use our contact form to submit your comments.

Last modified: 30 December, 2007 by Wanja Eric Naef

IWS Copyright 2000 - 2008