Fear, Bruce Schneier, 2003
It is instructive to view this book in light of another recent publication. Marcus
Ranum, in "The Myth of Homeland Security" (cf. BKMYHLSC.RVW) complains
that the DHS (Department of Homeland Security) is making mistakes, but provides
only tentative and unlikely solutions. Schneier shows how security should work,
and does work, presenting basic concepts in lay terms with crystal clarity. Schneier
does not tell you how to prepare a security system as such, but does illustrate
what goes on in the decision-making process.
Read More ...
Wireless Security End to End, Brian Carter/Russell Shumway,
Part one is
an introduction to wireless network security. Chapter one is supposed
to be an opening to wireless networking, but is basically a list
of common protocols. Wireless threat analysis, in chapter two,
is an unstructured list of miscellaneous threats. A facile overview
of blackhat communities, some intrusion tools, and a discussion
of insider attacks (without mention of any relevance to wireless
networking) is in chapter three.
Security Essentials, Russell Dean Vines, 2002
The introduction asserts, as a statement on the rapid
pace of technological innovation, that wireless security may have
changed between the writing and the publication of the book. It
may be an interesting comment on security that the book is still
relevant and that wireless security is unchanged in the two years
since the book's completion. It may also be a measure of the good
job that Vines did on his subject.
Biometrics, Samir Nanavati/Michael Thieme/Raj Nanavati, 2002
deals with the fundamentals of biometrics. Chapter one presents
a brief rationale for the use of the technology. Biometric
concepts are given in chapter two, but only the most basic.
In chapter three's look at accuracy there are standard metrics
as well as a few unusual ones (and some non-standard jargon).
Cryptography, Bruce Schneier/Niels Ferguson, 2003
points out that cryptography has done more harm than good in terms of securing
information systems, not because cryptography fails in and of itself, but, rather,
due to the improper use or implementation of the technology. This book is intended
to provide concrete advice to those designing and implementing cryptographic
systems. As such, it is not the usual introduction to cryptography, and is aimed
at a fairly limited group.
Risk: Regulation, Analysis, and Management, Carol Alexander,
In 1999, the Basel Committee on Banking Supervision
(BCBS), spurred by recent bank collapses, started
working toward an Accord
in regard to risk
management. The eventual Accord, also known as Basel II, was not
wholly defined, but established three points or "Pillars": that banks establish a capital
reserve somewhat commensurate with their total risk, that risk management plans
be subject to a supervisory review, and that such plans be disclosed. Operational
risk was defined as" the risk of loss resulting from inadequate
or failed internal processes, people and systems or from external
Read More ...
Integrity Software, John Barnes, 2003
upon a time, a group set out to build a language which would allow
you to write programs that could be formally verified. Formal analysis
and proof can be used to determine that a program will work the
way you want it to, and not do something very weird (usually at
an inopportune time). First came the attempt to build the Southampton
Program Analysis Development Environment (or SPADE) using a subset
of the Pascal programming language. When it was determined that
Pascal wasn't really suitable, research was directed to Ada, and
the SPADE Ada Kernel, or (with a little poetic licence) SPARK,
was the result.
Read More ...
Security and Cryptography", Peter
Thorsteinson/G. Gnana Arun Ganesh, 2004
For an ancient linear/procedural dinosaur
like myself, it is interesting to see
prehistoric API (Application Programming
Interface) library documentation and
the descriptions of the new object-oriented
classes. Older books were full of icky
such as usage syntax and required
While this work does contain some sample code, generally
comments that merely repeat what is obvious
from the name
of the method,
most of the material simply
consists of mentioning that the methods and classes exist.
I can only wonder at the marvels of the
new age of
where everything is so "intuitive" that
correct coding is automatic and inevitable.
Intrusion Detection Systems, Tim Crothers, 2003
The preface implies that this book is a professional reference for building and
maintaining intrusion detection systems (IDSs). I'd say it has a fair way to
go before it could make that claim.
is an overview of intrusion detection. The basic concepts are
all included, but it is often difficult to understand the point
that the author is making.
of Computer Espionage, Joel McNamara, 2003
I suppose one might be able to make a case that this book
is about computer espionage, but the contents are hardly secret.
The fact that the introduction is decidedly vague about the audience--anyone
concerned that someone might want to spy on their data--would lead
one to suspect that this is another attempt to jump on a hot bandwagon,
without necessarily doing a lot of research first. And, in this
case, one would be right.
events have demonstrated that we are badly in need of guidance
in the matter of the construction of secure software (or the safe
fabrication of code). This book covers a topic that is very necessary.
Unfortunately, the work is insufficient to the task.
Read More ...
Detection with Snort, Rafeeq Ur Rehman, 2003
Chapter one is a very simple introduction to intrusion detection and Snort. Beginning
with a brief look at topology, chapter two runs through an installation of Snort,
but does not provide much in the way of explanation or recommendation at the
Intrusion Signatures and Analysis, Stephen Northcutt et
Intrusion detection and network forensics are now vitally important topics in
the security arena. An explanation of how to identify dangerous signatures, and
extract evidence of an intrusion or attack from network logs, is something that
most network administrators require. Unfortunately, while the idea is good, and
badly needed, the execution, in the case of the current work, is seriously flawed.
the Network from Malicious Code", Douglas
While there is some basic information about viruses and
trojans in this work, it isn't clear, good, particularly helpful,
or easy to extract from the surrounding verbiage. What content
is related to networks has very little to do with securing or protecting
them from malware.
Attacks Testing", John Chirillo, 2003
in the introduction seems to indicate that this text might
be similar to SATAN (Security Administrator's Tool for Analyzing
Networks), in that it explains how to build a set of utilities
in order to identify vulnerabilities. As such, there is the
possibility that the work is open to a charge of being more
useful to attackers than to defenders. Fortunately, the book
does not provide a great deal of information that could be
used to break into systems. Unfortunately, it doesn't help
much with defence, either.
Read More ...