Enterprise Security: The Manager's Defense Guide
by Aleksandar Stancin - Thursday, 28 November 2002.
Author: David Clark
Pages: 288
Publisher: Addison-Wesley
ISBN: 020171972X



Available for download is chapter 1 entitled "What Is E-Business?".

Introduction

E-business, the buzzword of the second half of the '90s, has managed to survive and overcome problems that have occurred after the initial breakthrough, and is now facing a different kind of a problem. That is insufficient security that allows malicious users to take matters into their own hands, causing material damage not only to the companies, but also to individuals in form of their customers.

Material damage is not cheap, and once lost trust is hard to be regained, so e-security is of vital importance, and even though the situation is now much better than in the last few years, it still presents something that likes to be overlooked. Or at least dealt with minimum care and investments, which in a long run is a really bad approach. In order to emphasize it's importance to end users and managers, appropriate books and courses are in order, and we have one such a book here.

The author

This book is written by David Leon Clark, as the cover says it, a man with over twenty years of experience in information technology, currently program manager at Acton Burnell, Inc. He is also the person in charge of support and security consulting, and a professional writer on high-tech topics.

Inside the book

What we have here before us is a book dealing with e-commerce security, mainly, with targeted audience among small and medium companies, even though the author mentions multinational corporations, which is a pretty bold statement. Such corporations already have teams and subdivisions in the IT field that handle e-security issues, and they probably do it far better than this book does. No, it is fair to say small and medium companies, and their managers that are not too familiar with the concept of e-security.

One does not need to be a computer expert to understand it, and it's pretty short, making it easy reading material. It tries to provide a detailed overview of e-security, but bearing in mind that the book spreads on some 250 pages of printed material, that can hardly be the case, right? I'd find the term brief overview, or just overview more appropriate. But, let's see what it offers, before I make any further judgment of it.

It consists of four major parts, underneath which are 13 chapters, and four appendices. What can be found inside? In the first part that deals with e-business, or forging of a New Economy as the author calls it, the uninitiated reader may learn more about current e-business trends and issues related to e-security, including it's downfalls. Later on the author leads you into the world of the "hacker". The part dealing with e-business is written more than correctly, which is not something that can be said for the "hacker" part, but I'll get into that at the end of the review.

The second part of the book, aptly named "Protecting information assets in an open society" gives you a clue what it's all about. Firewalls, DMZ's, VPN's, and their downfalls are there. If you're a manager, and know little about the terms mentioned above, it would do you a world of good to read them, at least to understand a little what your IT staff deals with on a daily basis. The author mentions "providing enterprise solutions with total security or as much as is practical in the world today". I'm glad he wrote this disclaimer as there is no total or absolute security, unless you unplug the machine and disassemble it, rendering it useless.

The Third part of the book presents you with cracking and hacking methods, as long as solutions to render them pretty much useless. If you take a better look at the topics covered here, as DDoS tools, script attacks, etc., you'll come to the conclusion that it actually deals with script kiddies and various scripted attacks - not much hacking there.

The author makes some good points and suggestions for e-security, as long as how to deploy several methods of control and how to harden your system. Again, it will give you an excellent insight into what your IT staff has to deal with.

The Fourth part of the book deals with defence mechanisms and risk management, that may help you evaluate and prepare your system against possible attacks. Not much needs to be said there. The appendices include top 20 internet vulnerabilities, CERT response form, more about Denial of Service attacks and how to harden Windows 2000 systems.

The term "hacker" and it's use in this book

Well, let me deal with the term "hacker" in this book. I appreciate the authors concern with security in mind, but he overemphasises the negative aspects of hacking, almost disregarding positive ones.

Hackers are portrayed as evil villains, with almost no exceptions, and various hacker tools and procedures described are nothing more than your average script kiddie toolbox.

At least at the end of the book, the author mentions curiosity as one of the things that motivate hackers. Sure, it is illegal to hack into systems, no matter what. However, a lot of progress and good stuff has come from hacking in the past years, that I believe it's wrong to present it like this. Not all hackers are evil. Does the term "cracker" come to mind?

If the author is trying to tell me he never felt the need to try something different, or felt just plain curious about how things work, and learned a lot along the way, well... From innovation comes improvement, creativity, not from just fixing up the standard routine, and lot of hackers have shown that. They innovated and created useful software. Think about that a bit.

The verdict

This book can be best described as a guide on e-security, but I lack to see the connection between it and the targeted audience, which by authors words, are various chief information officers, IT managers, system analysts and such.

The book is rather brief, written in plain English. It deals with too many general issues but provides good guidelines for those managers who are not too familiar with IT area, or e-security, but the above mentioned group should already be very familiar with topics inside it. It can serve as a good reminder, with guidelines, to all audiences interested, but it needs to be expanded with a lot more information. I can recommend it to anyone not familiar with the subject, various managers or just plain curious, with some mediocre, or small level of IT knowledge.

So, overall, what can be said about "Enterprise Security"? It's a decent book in these times where e-business with all its fluctuations is an important part of world economics. Security must be hardened, and all those incident responses and problems that usually arise are only proving that not much attention is paid to it.

This book is ideal for your manager if he or she does not understand the magnitude of problems you, as a part of the IT staff, have to deal with, or is even uncooperative when it comes to providing you with more resources. But, I hardly think you'll find anything new for yourself in it, serving you only as a mere collection of guidelines, sort of a check list in case you forgot something.



Spotlight

Windows 0-day exploited in ongoing attacks, temporary workarounds offered

Posted on 22 October 2014.  |  A new Windows zero-day vulnerability is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //