BKININSC.RVW 20010511 "Inside Internet Security", Jeff Crume, 2000, 0-201-67516-1, U$29.95 %A Jeff Crume crume@us.ibm.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2000 %G 0-201-67516-1 %I Addison-Wesley Publishing Co. %O U$29.95 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0201675161/robsladesinterne %P 270 p. %T "Inside Internet Security: What Hackers Don't Want You to Know" Recently I started teaching a new class. During the introductions, one student admitted that he wanted to learn how to break into systems since that would teach him how to protect them, right? In the first place, I don't believe him. In the second, his thesis is seriously flawed. Yet that is the type of argument Crume seems to be making in the introduction to this book: learning how to hack will teach you how to protect yourself. It doesn't work that way. Knowing how to exploit a buffer overflow in Microsoft's Internet Information Server doesn't teach you anything about the type of systems development practices that will keep you from leaving buffer overflow loopholes in your own programs. Crume does, however, present some good, if basic, security advice. After a bit of a rocky start. Chapter one says that there are weaknesses in the net. Big surprise. Chapter two says that the net is possibly dangerous. About the only reliable information you'll get out of chapter three is that hackers differ. By chapter four, though, the book has settled down. Here we get a decent introduction to risk analysis, stressing that some risks are not worth protecting against. There is some solid advice about security policies in chapter five, most notably, have one. Chapter seven lists some good general points to keep in mind, which then become the titles of the remaining chapters. There is a clear, if not terribly detailed, explanation of what firewalls are and do, in chapter eight. We are warned to be wary of insiders in chapter nine, which also points out that not all "insiders" are actually inside. Chapter ten outlines some of the aspects of social engineering. A detailed discussion of passwords, in chapter eleven, even covers tokens and biometrics. Network and packet sniffing is explained in chapter twelve. Chapter thirteen is weak. Ironically, it is the first chapter to touch closely on the items Crume implied in the introduction, and looks at software vulnerabilities. But these loopholes are very difficult to deal with, and the material here isn't much help. Chapter fourteen is helpful in pointing out that factory set defaults can be dangerous. The title of chapter fifteen ("it takes a thief to catch a thief") seems to be suggesting that you hire hackers. Actually, it merely suggests that you learn the vulnerabilities that they know. However, it isn't very useful in pointing the reader in the right direction. Chapter sixteen offers a grab bag of anecdotal reports of recently exploited vulnerabilities. And, of course, I have to pay special attention to chapter seventeen, on viruses. Well, Crume makes mistakes, but he doesn't make any really important ones. The background is reasonable, and the advice is sound. Chapter nineteen provides a good overview of cryptology, but some of the more important points get buried in the stories. (There is more material provided in appendix A.) Backdoors and end runs are discussed in chapter twenty. Chapter twenty one points out that even "harmless" defacement of a Website can have serious consequences, while twenty two says the information is valuable and a good defence. Chapter twenty three finishes off with a look at some emerging technologies that are bringing forward new security concerns. One note that I should make: the text doesn't have all that much to say about the Internet, as such. Most of the points deal with security on a general basis. Which doesn't necessarily make it any less useful. This book can be read completely in a day. And, for most managers and businesspeople it would be a day very well spent. While some chapters are weak, roughly three quarters of the material is both reasonable and technically sound, a match that happens less often than one might wish. This is definitely a volume to get to pass around among all employees--and to provide to all newly hired managers. copyright Robert M. Slade, 2001 BKININSC.RVW 20010511