BKESTMDG.RVW 20020916 "Enterprise Security", David Leon Clark, 2003, 0-201-71972-X, U$39.99/C$62.99 %A David Leon Clark %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-201-71972-X %I Addison-Wesley Publishing Co. %O U$39.99/C$62.99 416-447-5101 fax: 416-443-0948 %O http://www.amazon.com/exec/obidos/ASIN/020171972X/robsladesinterne %P 264 p. %T "Enterprise Security: The Manager's Defense Guide" The preface is heavy on buzzwords (and a few spelling errors) with little attention paid to concepts and structure. Part one would like us to think of the forging of a new economy. Chapter one asks "what is e-business," and, with a little re-interpretation of history (the Internet had been in existence for twenty two years and had five million users, a significant number private and commercial, before it "became available to the public" according to this book) and ignoring of inconvenient facts (the hyperinflation of dot com IPO stocks is stated to prove the success of e-business just before we are told that the dot com failure was inevitable because of stock hyperinflation) tells us that e-business uses the net and makes money. Some security jargon is introduced in chapter two. A confused recycling of trade press myths about blackhats, in chapter three, seems to state that these are the only malicious opponents of e-business: there is no mention of insider attacks. Part two looks at protecting information assets in an open society. Chapter four demonstrates an amazingly consistent failure to understand the technologies supposedly being explained: a De-Militarized Zone (DMZ) is, by definition, not abandoned outside the firewall, and Simple Key Management for IP (SKIP) is not a virtual private network (VPN) product. There are more buzzwords, miscellaneous security concerns, and more mistakes (ActiveX is *not* multi-environment) in chapter five. Part three talks about waging war for control of cyberspace. Chapter six looks at attacks by syntax, and demonstrates more TCP/IP errors. (Packet filtering is not exactly built into IP: the ability to handle a packet based on destination is central to the idea of networking. The ping-of-death has nothing to do with fragmentation offsets since it is a single packet, and it is not too small, but too large.) There is a confusion of attack scripts and script viruses (and cookies, too, for good measure) in chapter seven. Countermeasures and attack prevention, in chapter eight, actually looks (tersely) at incident response. The material isn't too bad, but has very little detail. Having talked about DDoS (Distributed Denial of Service) in chapter six, the attack now gets more pages, but little more detail. Chapter ten is a grab bag of random safeguards and countermeasures, as is eleven. Part four deals with active defense mechanisms and risk management. Chapter twelve, entitled vulnerability management, suggests collecting alerts. Given what we've seen so far, it is strange that chapter thirteen *does* address the nominal subject of risk management, albeit not very well. This confused collection of random concepts adds nothing of value to the security literature. copyright Robert M. Slade, 2002 BKESTMDG.RVW 20020916