BKNESEAS.RVW 20091004 "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford, 2007, 978-1-59749-101-3, U$59.95/C$77.95 %A Steve Manzuik %A Andre Gold %A Chris Gatford %C 800 Hingham Street, Rockland, MA 02370 %D 2007 %G 978-1-59749-101-3 1-59749-101-2 %I Syngress Media, Inc. %O U$59.95/C$77.95 781-681-5151 amy@syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597491012/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597491012/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597491012/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 372 p. %T "Network Security Assessment: From Vulnerability to Patch" Chapter one is a general discussion of vulnerabilities and risk. The material makes the process (and threat environment) seem more formalized and simpler than it really. Initially the review of vulnerabilities seems limited to coding issues, but later parts of the book concentrate almost exclusively on network issues. A broad overview of the usual "discovery/enumeration/analysis" style of penetration testing is given in chapter two. Assessment tools are noted in chapter three, although the content is mostly a duplication from two. While most of the suggestions are reasonable (yes, you do want a low rate of false positive alarms), some are unrealistic (a zero rate of false negative results is almost inherently impossible to achieve). Chapter four addresses the discovery stage, though not in much depth. Similarly, chapter five's examples of enumeration are limited to various scans. Chapter six repeats the penetration testing review from chapter two, but with different examples. Vulnerability management, as delineated in chapter seven, is simply a project cycle with some audit functions included. Chapter eight is a terse listing of vulnerability management tools. The content of chapter seven is repeated in chapter nine, in a more confused form, and now under the title "Vulnerability and Configuration Management." "Regulatory Compliance," in chapter ten, is restricted to a brief discussion of the Payment Card Industry Data Security Standard, and the US Sarbanes-Oxley law. Chapter eleven re-reviews the chapters in the book. An appendix covers legal factors for a variety of information security concerns. The material in this work provides a decent introduction to vulnerability assessment and penetration testing, but with a great deal of padding and duplication. Condensed into a magazine article, instead of running to almost four hundred pages, it could have been very useful. There is also a chance that the reader will be misled by the doctrinaire stance in many cases, such as the presentation of penetration testing as distinct from vulnerability assessment, when the reality is a continuum, with most people taking a hybrid approach. Overall the book is a good start, but those wishing to actually begin working with assessments will need additional help. copyright Robert M. Slade, 2009 BKNESEAS.RVW 20091004