InfoSec Reviews Awards 2011 by Tony Campbell

ìnfo nfoSec Sec reviews

THE ANNUAL AWARDS MAGAZINE FROM INFOSECREVIEWS.COM

inside BEST INFOSEC BOOKS PUBLISHER INTERVIEW AUTHOR INTERVIEWS SURVEY RESULTS

new FIRST ISSUE

best BOOK AWARDS

InfoSec 1_OFC.indd 1

10/03/2012 09:55

InfoSec 1_IFC_Ad.indd 2

10/03/2012 10:17

editorial

L EDITORIAL EDITORIAL EDITORIAL EDITORIAL EDITORIAL EDITORIAL About Us

InfoSec Reviews is a website resource for the Information Security community, published by InfoSec Reviews Ltd., registered in the UK. It can be viewed online at: www.infosecreviews.com

Editorial Board

Tony Campbell, John Hughes, Dave Raimbach, Mich Kabay, Terry Neal

Acquisitions

Tony Campbell, John Hughes, Dave Raimbach

News Desk John Hughes

Marketing

Dave Raimbach & Tony Campbell

Production and Design

Matt Dettmar (freelancemagazinedesign.co.uk)

Welcome to the InfoSec Reviews annual awards magazine, where we pay homage to the exceptional work that’s been undertaken in the Information Security marketplace during 2011. This year’s inaugural InfoSecReviews.com awards has focused primarily on security related books (and the book publishers) as this is where InfoSec Reviews started from back in the summer of 2011, however, next year we will be expanding the awards to include categories for products, magazines, websites and training, which we are really excited about. So, what’s inside? This year’s magazine, as I said, focuses on books, and to mark this, we have managed to acquire some great articles and interviews that I’m sure you’ll find interesting. Mich Kabay, our weekly columnist who writes the Perception blog (www.infosecreviews.com/perception), has supplied an excellent article on how to write about Information Assurance matters. If you are a budding author, be sure to take a look, as there are some useful hints and tips in there that will help you on your way. We’ve also had an article in from the premier Information Security publisher, Syngress, on working and publishing in this market, which is well worth a read, and, we also have a couple of great interviews with some of the most well known writers in the market. One of the most interesting things we did at the end of last year was to add a short survey into the nominations for best books. This gave us some idea of how the information security book buying market was performing. The survey results make fascinating reading, even if you are not an author or a publisher, as the book buying market often highlights what’s important in a particular niche area. I hope you enjoy reading the rest of the magazine and that the awards give you some ideas of what you might be interested in adding to your bookshelf over the next few months.

Tony Campbell Editor-in-Chief InfoSecReviews.com

Contributing Authors

Tony Campbell, John Hughes, Harlan Carvey, Michal Zalweski, Mich Kabay

Reviewers

Tony Campbell, Sharon Campbell, John Hughes, Dave Raimbach, Terry Neal

CONTACT INFOSEC REVIEWS Editorial

Contributions to the website are always welcome; if you are interested in writing for InfoSec Reviews or would like to be on our technical panel for future review work, please contact us on editorial@infosecreviews.com

News

If you have an interesting news item that you’d like us to cover, please contact us on: contact@infosecreviews.com

Advertising

If you are interested in advertising with InfoSecReviews.com or would like a copy of our media kit, contact the marketing team at: marketing@infosecreviews.com

Blogs and Perception

For all blog or Perception column enquiries or suggestions, please write to our editorial team at editorial@infosecreviews.com

Trademarked names may appear in this magazine. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

InfoSec 1_03_Editorial.indd 3

16/03/2012 09:11

Information Security Product & Service Reviews By Professionals For Professionals

www.infosecreviews.com InfoSec 1_04_Ad.indd 4

15/03/2012 08:19

contents

NTS CONTENTS CONTENTS CONTENTS CONTENTS CONTENTS CONTE

best books Certification ......................................10 Cryptography ...................................12 Cybercrime & Homeland .................14 Digital Forensics ...............................18 Governance & ISMS .........................20 Hacking & Pen Testing .....................22 Information Security ........................26 Networking Security ........................32 Systems Administration ...................34 Identity Management ......................36

FEATURES The InfoSec Book Market .................. 6 Tony Campbell introduces us to InfoSec books

Author Interview ................................ 8 InfoSec author Harlan Carvey

Writing IA Articles ............................16 Mich Kabay on how to write for security

Editorial .............................................25 All We Want Are The Facts, Maâ&#x20AC;&#x2122;am

Ask the Publisher .............................28 Behind-the-scenes with Syngress

Author Interview ..............................30 InfoSec author Michal Zalewski

InfoSec 1_05_Contents.indd 5

15/03/2012 08:20

feature

EC BOOK MARKET THE INFOSEC BOOK MARKET THE INFOSEC BOOK

Our Survey Says… by Tony Campbell

The Information Security book market was certainly an interesting place to be in 2011. To attempt to map the rough size and shape of this market, and to determine what’s influencing people’s purchasing decisions, InfoSec Reviews ran a survey alongside the 2011 award nominations in an attempt to garner some insight into what makes IA people tick. The results were extremely interesting and a true testament to the profession when you see what the majority of people are interested in. We hope you find this a useful read.

What’s Hot and What’s Not? Firstly, over half the populous of book buyers are studying for one of the many security related certifications available to professionals. A massive 58% of respondents said that the top category for spending money on textbooks was certification. This included books for CISSP, CEH, and BCS certification preparation (the latter being the CISMP qualifications which has only one textbook on the market currently). We were surprised at this result; however, it’s encouraging to see that over half of the IA professionals surveyed were studying for professional qualifications last year. Of all the categories analyzed, the overwhelming majority of you admitted general information security books where

you were spending the most money. 84% of you responded saying that you read these kinds of general security books on a regular basis (more than once a week). This year’s winner of the general category, The Computer Security Handbook 5th Edition, by Seymour Bosworth (Editor), M. E. Kabay (Editor), Eric Whyne (Editor), is a true bible for the IA professional – a deserving winner indeed. In second place, with 68%, we had a tie between books on Networking Security and those in the Hacking and Penetration Testing category. These are obviously strong growth areas for publishers and with the current governmental and media focus on cyber security and cloud computing, these are certainly categories to watch over the coming 12 months. Governance and risk management – the stalwart discipline of the IA professional – comes midway down the rankings of popularity; this is for no reason other than the subject matter is largely scientific and statistical and there isn’t much happening in this field. However, books will always be needed on this subject as it’s at the heart of all we do as IA professionals. The least popular categories of security books in 2011 proved to be an interesting collection of niche subjects, such as cryptography and systems administration (from an IA point of view), and growth areas such as identity management. It

With just 44% of readers preferring the Amazon Kindle format, the paperback and hardback are still top of the list when it comes to your preferred medium would seem that systems administration is not so popular with the security professional book buying market, and while this just overtook identity management at the bottom of the list, identity management, because of cloud computing and distributed data storage, will undoubtedly factor into the growth markets in the coming years.

Buying Decisions Next we asked what it is you think is most important in terms of your buying decision when it comes to Information Security books. By far the most popular response was an independent review (thanks guys, we’re happy to hear that at InfoSec

InfoSec 1_06-07_InfoSec Book Market.indd 6

16/03/2012 09:10

BOOK MARKET THE INFOSEC BOOK MARKET THE INFOSEC BOOK TH

Reviews). Other professionals in the IA field recommending books as worthy of your time (and cash) is undoubtedly the best way to find out what to read. The IA community is largely an honest one and one that is happy to mentor other professionals who need a leg up. However, IA professionals can also be a cynical bunch and Amazon reviews feature way down on the list (we know there have been incidents of publishers paying off reviewers to write glowing reports on Amazon, don’t we?), and below that was the publisher’s own review and back-cover blurb. In fact, just one respondent said they would purchase an IA book based on back cover blurb alone. When you are spending between £50 and £100 in some cases for textbooks, it’s not a simple, whimsical purchase; instead it should be treated as an educational and professional investment. The second aspect of what influences book buying decisions is the formats available for the reader. You’d think that with all the hype and attention, there would be a distinct trend towards e-books, however, with just 44% of readers preferring the Amazon Kindle format, the paperback and hardback are still top of the list when it comes to your preferred medium. What is interesting about this is that 78% of respondents said they purchased hardcover IA books, which is just behind the 85% of respondents who buy paperbacks. It may be that those of you creating a home library still prefer to buy hardback books as they feel like better value for money and look better on the shelf. Just one respondent uses O’Reilly’s Safari bookshelf, the monthly subscription option to their full catalogue (it works a little like a lending library). Electronic devices also figured in the responses, with the majority of e-book readers preferring the Apple iPad over the Amazon Kindle. This was an interesting observation, yet not

surprising as the iPad allows textbooks to display high resolution diagrams, screenshots and images much better than the Kindle, and while the Kindle is great for text (so perfect for novels), the iPad is a far superior and more flexible device (allowing you to read iStore books, Kindle books, PDFs and ePub formats).

Bookshops… onsite or online? The responses for where you buy your books correlate nicely with the fact that independent reviews are the most helpful when it comes to selecting the books you will be purchasing. Shoppers buying books from Amazon was by far the majority (at 75%), this was more than likely attributed to the ease of purchasing (and the availability of more niche subject matter), as well as significant discounts, shipping times, Amazon Prime: and shopping for e-books, irrespective of what device you consume them on, is certainly high on the agenda. So, Amazon seems to have most of our IA pounds and dollars, but we don’t trust what it says in terms of reviews. Some of you use other online retailers (5%) and 10% of you buy direct from the publishers, which only leaves 10% of you who shop in bookstores. Now this is certainly saddening for someone whose temple used to be the bookshop, however, this is the sign of the times.

respondents admitting to a propensity for historical accounts of hacking (Kevin Mitnick style), books on espionage and intelligence services, and information warfare.

Conclusion The infosec book market is still very buoyant and seems to be growing rather than shrinking (probably a reflection of the fact that our industry is also growing). The old stalwart of risk management is still a decent seller in terms of steady state, but what’s really interesting to see is how the growth areas of penetration testing and identity management are faring. InfoSec Reviews will be carefully monitoring the book market over the coming 12 months and we expect to see a significant blip in security books for administrators when Windows 8 lands later this year. For now, keep reading! Tony Campbell is a security professional, author of 9 IT titles, and the editor of the InfoSec Reviews website. He is also a course author for the InfoSec Skills BCS training course for CISMP (available online via InfoSecSkills.com in 2012) and lives in Reading, Berkshire.

What else? It would seem that the IA professional has a tendency to enjoy the fictitious world of espionage and hacking, with an overwhelming 96% of

InfoSec 1_06-07_InfoSec Book Market.indd 7

15/03/2012 08:20

interview

HARLAN CARVEY HARLAN CARVEY HARLAN CARVEY HARLAN CARV Harlan Carvey has written a number of proof-of-concept tools for educating users in such topics as Windows null sessions, file signature analysis, and the retrieval of metadata from a variety of files. He has had articles published in the Information Security Bulletin and on the SecurityFocus website. Harlan, you have written a number of books on digital forensics, how did you get interested in this subject? I became interested in network security while working on my master’s degree while I was in the military, and once I got out of the military, I began conducting vulnerability assessments and penetration tests. From there, I began performing incident response, which seemed like a logical progression for my career path, in that when we were conducting penetration tests, there was simply no response capability with the organizations we worked with. When I moved into an emergency response role, one of the things that really served me well was a focused approach to analysis, and looking back to my most recent engagements for areas where I could improve my analysis. Also, digital forensics provides me with an opportunity to solve problems, which is something I really enjoy. You are bringing out the third edition of the Windows Forensic Analysis Toolkit, what made you bring out another edition? Due to Windows 7 becoming more pervasive within the industry, I felt it was time to move to covering that platform a bit more, particularly in the manner that I’d done so with Windows XP. While many larger organizations really hadn’t moved from Windows XP to Windows 7 yet, and many still haven’t... The availability of Windows 7 on home user systems purchased through Dell or Walmart meant that law enforcement was more likely to start seeing these systems in their labs. Also, keep in mind that the third edition is not simply the second edition with new material added. Rather, the third edition doesn’t address things from the second edition that haven’t changed, such as the Windows Portable Executable (PE) file format, and brings a whole bunch of new information specific to Windows 7 systems, such as

to memorize, and then to use effectively. As far as updating the book, I’m still waiting on feedback from the community with respect to *how* it would need to be updated. So far, I haven’t really seen a great deal of feedback regarding how to better approach the information, or what new information needs to be included. For example, “talk about Windows 7” is far too nebulous to really address because I could write a tome and not address the needs of the community.

StickyNotes and Jump List file formats. When I wrote the second edition, I started by going back to the manuscript for the first edition and adding information; when I started the third edition, I began with an entirely new outline. I wanted to not only approach this edition in a new manner, but I wanted to include material and approaches that I’d seen discussed in lists and forums, as well as in training courses I’d conducted, in order to try and address the needs of the community. Will you update your book Windows Registry Forensics for Windows 7? The first two chapters of WRF are intended to take a “teach a man to fish” approach, providing the tools an analyst needs to understand the forensic value of the Registry, as well as to discover new artifacts. As the binary structure and use of the Registry hasn’t changed since Windows NT (all the way through to the Windows 8 Developer’s Build), none of that information needs to be updated. Perhaps descriptions of tools that have been developed since the book was published would be beneficial. In the second half of the book, I tried to address actual analysis, and provide case-study-type examples of how the Registry has been used, either alone or when correlated with other information, to achieve superior analysis and results. While I would like to expose analysts to some of the new nuances to the Windows 7 (and 8) Registry, I’m not sure that providing lists of keys is entirely beneficial. This can be hard for analysts

In your books you have specialised in Windows forensics. Have you any plans to publish books concerning other platforms? I focus exclusively on Windows. I’m not an expert in anything, I simply have a lot of interaction with Windows systems, not only because I use them, but also because when I’ve performed incident response or digital forensic analysis, these are the systems I tend to encounter. I also talk to a lot of folks who run into issues with their analysis of Windows systems, and I try to help them get over those speed bumps. What impact do you think Cloud computing will have on forensics? It depends on the perspective, and how it’s used. Many cloud providers use Windows 2003 or 2008 as their Windows platform, so you’re likely to see these systems being compromised, or in the case of on-demand platforms, seeing them set up and used for malicious purposes. From a user perspective, “the cloud” may be more of a storage facility, but evidence will continue to be found on the client systems. Where things will really start to get hard is when the desktop itself is “in the cloud”...at that point, things will be really difficult, particular for law enforcement, as the metaphor of a desktop doesn’t map easily when that “desktop” is somewhere “in the cloud”. When this happens, it’s going to become more a matter of “cloud” implementation than ever before. Have you any other books in the pipeline that our readers would be interested in? Not at this time, no, but I tend to look to the community to see what the needs are, and I try to address those. I usually start an outline for a book based on what I’ve encountered in my analysis, but I also try to listen to folks in the community to see what their needs are.

InfoSec 1_08_Author Interview 1.indd 8

15/03/2012 08:20

InfoSec 1_09_Ad.indd 9

16/03/2012 09:20

best

TIFICATION BOOK CERTIFICATION BOOK CERTIFICATION BOOK CERTI

CISSP Boxed Set Reviewer: Dave Raimbach Qualifications: CISSP, ISO 27001 Foundation Author(s): Shon Harris Publisher: McGraw-Hill Osborne Date of Publishing: 1st June 2011 ISBN(13): 9780071768450 Price: £79.99, $105.00 Rating:

The CISSP Boxed Set bundles Shon Harris’s CISSP All-in-One Exam Guide, Fifth Edition, CISSP Practice Exams, and a second CD-ROM featuring her training material. At 1632 pages, this is another heavyweight CISSP resource. I used the fourth edition of this book as revision for my CISSP exam back in 2010. There are many good books in this space – CISSP Study Guide from Sybex, the Official (ISC)2 Guide to the CISSP CBK, The CISSP Prep Guide from Wiley and CISSP Study Guide from Syngress, a lighter weight offering which I have previously reviewed and can be found on the InfoSec Reviews website. Sad as it may sound, but I have them all; yet the Shon Harris book is by far the best of the bunch. The book has a straightforward layout – two introductory chapters, “Becoming a CISSP” and “Security Trends,” followed by one chapter per CISSP domain (Information security and risk management; Access control; Security architecture and design; Physical and environmental security; Telecommunications and network security; Cryptography; Business continuity and disaster recovery planning; Legal regulations, compliance, and investigations; Application security; Operations security). At the end of the book there are two appendices.

Of all the CISSP Exam Guides in this space I consider this to be the best for many reasons, including layout, readability and use of other learning tools As with most books in this space it includes a CD-ROM with a .pdf version. The CD-ROM also includes many scenario-based questions to help prepare for the exam. The book regularly includes the “Note” icon, which introduces a real-world example, discusses an appropriate topic, or provides a link to a URL to find additional relevant material. The book contains many clear diagrams and tables, uses full-page topic summaries. Of course, every domain chapter concludes with a number of relevant questions to check the reader’s progress. Most of all I like the way the book is written. I found it very readable; far more than, for instance, the Official Guide, which I found dry in comparison.

FIRST

Shon Harris has an impressive CV, which adds to the credibility of the book. The Technical and Contributing Editors’ bios are also impressive. What this boxed set includes that the book alone does not is a CD-ROM, which includes two additional practice exams as well as audio and video training led by Shon Harris. The total CD-ROM content for the boxed set includes: • More than 1200 practice exam questions covering the 10 CISSP domains • Practice exam questions complete with answer explanations • Several hours of audio and video training • Audio training with Shon Harris reviewing access control concepts • Video training with Shon Harris teaching core cryptography concepts • E-book version of CISSP All-in-One Exam Guide, Fifth Edition • And more than 1000 practice exam questions and 30 hours of audio training available online Of all the CISSP Exam Guides in this space I consider this to be the best for many reasons, including layout, readability and use of other learning tools. The CDROMs contain much additional material to help prepare for the CISSP exam, including test questions, exams, audio and video.

InfoSec 1_10-11_Best Certification Book.indd 10

15/03/2012 08:21

K CERTIFICATION BOOK CERTIFICATION BOOK CERTIFICATION BOOK

PCI DSS A Practical Guide to Implementing and Maintaining Compliance Reviewer: Edd Hardy Author: Steve Wright Publisher: IT Governance Publishing Date of Publishing: 2011 ISBN(13): 9781849281867 Price: £39.95, $69.95 Rating: The book is clearly aimed at the organizations that need to implement PCI. It’s not aimed at QSAs, or someone who knows PCI and it wouldn’t work for the techy or consultant. This is the book for the not so technical, someone who has been told to sort out PCI compliance. The book certainly explains PCI in some detail, explaining the objectives of PCI, common myths, why it’s actually a good thing, and what all the terms mean. However, the bulk of the content is how to actually “do” PCI. So, it’s all about the PCI Project (it includes basic project management steps). The author takes a sensible approach, rather than vague “it depends what you do” answers, he starts each section with, “To meet this requirement you need to do X.” In some cases it’s just a reiteration of the standard, but for the more complex issues he breaks them into smaller targets that are explained in plain and simple English. Interestingly, it assigns responsibilities within the project management plan. Overall, this is a useful book, albeit very expensive, and all of the information is available elsewhere for free. It doesn’t really add anything new, just presenting PCI in a very accessible way. I wouldn’t use this book myself, but I would recommend it for non-technical clients as a guide to help them understand PCI.

CompTIA Security+ Review Guide

CISA Study Guide

Reviewer: Mark Evans Qualifications: ISO 27001 Lead Auditor Author: James Michael Stewart Publisher: CompTIA Date of Publishing: June 2011 ISBN(13): 9781118061176 Pric: £19.99, $29.99 Rating:

Reviewer: Jim McGhie Qualifications: MBA, CEng, MBCS, CITP Author: David L. Cannon Publisher: Wiley Publishing Inc. Date of Publishing: 2011 ISBN(13): 9780470610107 PricE: £39.99, $69.99 Rating:

This is a very well structured and articulated book that allows the reader to break up a diverse topic into very logical chunks. By doing so, it allows specific focus on key information security points and allows understanding of each section to be ascertained through a short test at the end of the section. The book engages the reader and through its logical structure and use of diagrams, images and exercises, makes it easy for the reader to remain engaged. The book also contains quite basic scenarios, but they break up the publication nicely and allow the reader to focus on images and screenshots relating to the topic. I would definitely consider this book to be value for money, although it has to be stressed that there is a strong bias towards US legislation and regulations rather than those from the UK or Europe. The book also contains a CD containing flash cards and practice assessments to fully prepare you for the SY0-301 exam and also acts as a knowledge refresher when putting information security into practice in the work environment. This book is an ideal resource for those looking to move into a security role and take the associated SY0-301 exam, or for those established security professionals looking to refresh their knowledge.

Cannon has produced a welldocumented coverage of all the knowledge requirements necessary to pass the CISA examination in this book. It consists of a 605-page volume with a well-structured layout. The introductory chapter deals with the practical aspects of how to achieve CISA accreditation. It then discusses the do’s and don’ts of how to approach the examination together with what is expected of exam candidates by the ICSA. This chapter ends by elaborating on the CISA Domain areas, the exam weightings for these, and the task and knowledge statements required of candidates in respect of each of the Domains. I liked the fact that the introduction ends with a self-assessment quiz allowing candidates to determine their weakest areas of knowledge and therefore where they should concentrate their learning efforts. However, the book was published prior to the change in the Domain structure, which took place in 2011, resulting in five Domains and not six. Consequently, each Domain now has an altered exam weighting and a new number of questions from those stated here. The remaining eight chapters focus on the Domain knowledge, covering tools and processes that must be learned and understood in order to be successful in the CISA examination.

InfoSec 1_10-11_Best Certification Book.indd 11

15/03/2012 08:21

best

OGRAPHY BOOK CRYPTOGRAPHY BOOK CRYPTOGRAPHY BOOK C

Cryptography Engineering Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP, ISO27001 Lead Auditor, GCFE Subtitle: Design Principles and Practical Applications Author(s): Niels Ferguson, Bruce Schneier, Tadayoshi Kohno Publisher: John Wiley & Sons Date of Publishing: 5 Mar 2010 ISBN(13): 978-0470474242 Price: £3699, $34.65 Rating:

FIRST

Cryptographic Engineering is an updated version of Practical Cryptography, originally published in 2003 by Niels Ferguson and Bruce Schneier. It has been updated so that it is now suitable for self-study and classroom training; in effect, this is the second edition of Practical Cryptography. Cryptographic Engineering is intended to provide advice to those designing and implementing cryptographic systems. As such, it provides an introduction to cryptography, the application of cryptography, and then finally its implementation. The book spans just 384 pages split across five parts and 23 chapters, and it’s certainly not as big as some of the other mighty “tomes” that have been written on this subject. The first part introduces the reader to cryptography, in particular emphasizing that security is only as strong as the weakest link, and that one can use the strongest cryptographic algorithms but if implemented incorrectly then can introduce weak links into a system. The second part consists of six chapters and introduces the reader to a number of cryptographic algorithms. Chapter three and four compare and review various existing block ciphers, their modes of operation, and attacks against some of these specific modes. Hash functions are

Anyone wishing to understand the complexities of implementing a crypto system should become familiar with this aspect of cryptography explained and compared in chapter five, while chapter six extends the concept of hashes to message authentication codes. Chapter seven looks at real-world problems and how the algorithms previously defined can be used to create secure channels. Part three takes a look at key negotiation and has chapters explaining both RSA and DiffieHellman. However, the first chapter looks at the problems of generating random numbers. Chapter 14 considers key negotiation, having previously described some of the building blocks and the final chapter in this part looks at implementation issues. Next the authors look at key management and the various approaches

to the problems therein. Chapter 16 discusses the use (and risks of using) clocks and time in cryptosystems, followed by a quick introduction to PKI (Public Key Infrastructure) in chapter 18. Next, Chapters 19 and 20 consider the practicalities and realities of implementing PKI, highlighting problems and shortfalls. Storing secrets, important for key and password security, is discussed in chapter 21. The final part (four) contains miscellaneous topics, including the use of standards and the need for involving experts. This book is certainly not just another ‘introduction’ to cryptography. The content is for those involved in the detailed implementation of cryptosystems, and because of this, the book is rooted in mathematical implementations of algorithms. However, anyone wishing to understand the complexities of implementing a crypto system should become familiar with this aspect of cryptography – and as such, should buy this book. Whilst there are more complete books on cryptography, especially in terms of the basics, Cryptography Engineering comes highly recommended. Anyone wishing to implement a product or application that uses cryptography should certainly buy a copy.

InfoSec 1_12-13_Best Crypto Book.indd 12

15/03/2012 08:21

BOOK CRYPTOGRAPHY BOOK CRYPTOGRAPHY BOOK CRYPTOGRA Oil Industry Open to Cyberattacks

Intro to Cryptography with Open-Source Software

PKI Uncovered

Reviewer: Roy Hills Qualifications: CHECK Team Leader Author: Alasdair McAndrew Publisher: CRC Press Date of Publishing: 24 May 2011 ISBN(13): 9781439825709 Price: £49.99, $79.95 Rating:

Reviewer: Malcolm McKeating Qualifications: CLAS, CISM, CISA Author(s): Andre Karamanian, Srinivas Tenneti, Francois Dessart Publisher: Cisco Press Date of Publishing: February 2011 ISBN(13): 9781587059162 Price: £40.79, $65.00 Rating:

If you’re comfortable with basic mathematics and know a little number theory and algebra, this book is an ideal introduction to how cryptography actually works. The main strength of this book is its use of three complementary methods to explain the concepts and algorithms: a text description, the mathematics, and worked examples using Sage. The use of Sage to demonstrate the mathematical concepts and algorithms is a central theme in this book. Some books use general purpose programming languages, such as C. However, Sage is a simpler and more intuitive language, which avoids the complex syntax of C and the need to include support for big numbers and the like. So, an algorithm that might be a page of C code can be represented in just a few lines of Sage. This lets you concentrate on the math rather than the language. This book is 461 pages in length and it is concise enough to cover a lot of ground in those pages. There are a couple of appendices: an introduction to Sage and some additional number theory, but both are short and useful and are not simply padding. This is an excellent book for anyone who needs a detailed understanding of modern cryptography. The combination of text descriptions, mathematics and worked examples in Sage really helps to explain this complex subject.

I found the content of this book somewhat disappointing. As a security architect familiar with the high-level PKI architectures implemented in UK government and the NHS, I was looking forward to learning how the main concepts can be applied across enterprise networks to ensure certificated authentication between organisational servers. The book is 260 pages in length (including the preliminaries) and comprises 11 chapters. The book opens with a display of icons of, which, oddly, very few are used in the book. Overall, the book would benefit from a more organised structure and a glossary would have been helpful (many terms, such as ‘IPSec’, are used with no expansion). Basic concepts should have been more thoroughly explained in the first sections of the book and configuration examples left to the latter. In contrast, I found the content to be a mishmash of old concepts, extracts from various RFCs, coupled with example output from Cisco devices. Far more detailed information on the various topics is available from the Cisco documentation site, and that’s free of charge. My advice would be to rename this book to what it really is: a low-level PKI guidance document for Cisco engineers.

By Mich Kabay A colleague recently asked me how vulnerable oil-industry installations are to cyberattack; unfortunately, the consensus seems to be “Very.” In February 2011, a report surfaced that “Computer hackers working through Internet servers in China broke into and stole proprietary information from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc….” Other targets included “Marathon Oil Corp., ConocoPhillips and Baker Hughes Inc.” Publicly traded oil-industry companies hacked by industrial spies or saboteurs might be sued by shareholders if they fail to disclose such attacks: “Investors might also argue they had a right under U.S. securities laws to be informed of the thefts, which a judge might construe as a ‘material’ fact that should have been disclosed.” In an August 2011 report, Matt Liebowitz of the SecurityNewsDaily reported on a Black Hat Security Conference demonstration of hacking the programmable logic controllers (PLCs). Dillon Beresford, an expert penetration tester, found canonical (standard) passwords on a Siemens Simatic S7 PLC. He was able to shut down the controllers and also to “report false data to make the operator ‘think that everything’s functioning normal, when in fact it’s not.’” The Duqu Trojan software detected in October 2011 by the anti-malware firm Symantec is “scarily similar to the infamous Stuxnet worm, which could disrupt computers controlling power plants, oil refineries and other critical infrastructure networks.” Stuxnet is the worm that disabled the supervisory control and data acquisition (SCADA) systems in Iran’s nuclear-fuel processing facility. “Symantec said whoever is behind Duqu rigged the Trojan to install another information-stealing program on targeted computers that could record users’ keystrokes and system information and transmit them, and other harvested data, to a command-and-control (C&C) server.” Continued on page 37…

InfoSec 1_12-13_Best Crypto Book.indd 13

15/03/2012 08:21

best

OMELAND BOOK CYBERCRIME & HOMELAND BOOK CYBERCRIME &

Ghost in the Wires My Adventures as the World’s Most Wanted Hacker Reviewer: Tony Campbell Qualifications: MSc (Infosec), CITP, MBCS, MIET Authors: Kevin Mitnick, William L. Simon Publisher: Little, Brown and Company Date of Publishing: August 15, 2011 ISBN(13): 978-0316037709 Price: £19.99, $25.99 Rating:

Kevin Mitnick is probably the single most notorious hacker on the planet. The stories about his life and his eventual capture by the FBI have been the stuff of fable for decades, but because of various stipulations and caveats on his release from prison, he has been unable to tell the full, unadulterated story in his own words. Until now that is! And what a tale it is: mystery, intrigue, betrayal, chases, revenge, and eventual capture by the Feds… Ghost in the Wires is a truly gripping read about a boy with a brain the size of a planet who gets bored with the mundane things and life, so starts to explore things that are not directly available to him (albeit illegally), and ends up, as a result on the run from the highest law enforcement authorities in the world. What struck me about this book was the simplicity of how Mitnick slips into being a fugitive, from being a teenager with some playful hacking tricks up his sleeve, to the world’s most wanted cyber criminal in just a few years. However, what made me really sit up and take stock, especially working as a security architect myself, is the fact that at the heart of all his technical know how and genius with a keyboard and screen, the thing that really made hacking work for him was social engineering. People are our

It’s a real eye opener into the mind of the most experienced deception expert of all time weakest link in pretty much every security system Mitnick breaks in the amazing tale of deception – and, interestingly enough, his previous book, The Art of Deception, shows exactly how these sorts of attacks are launched. His other book, The Art of Intrusion, discusses a variety of well-known hacks that have been perpetrated on systems over the past couple of decades, which is also a nice precursor to this particular autobiographical piece. What I liked a lot about this book is that you don’t need to be a technical genius to read it, but I think you get the most fun out of it if you have a technical background. Mitnick does discuss aspects of technical exploits he’s expedited on some of the systems he hacked, but always casts them in such a way to make them accessible to the layman – with the only criticism being how easy he makes them sound: these are

FIRST

easy, if you happen to be a well-practiced conman with the depth of understanding of the computer systems you are attacking that IBM’s chief programmer might have. I must admit, I was worried that I’d get bored reading this book, especially as I’ve read every other cybercrime title going, however this one was different. Hearing this stuff straight from the horse’s mouth (bad metaphor) helped immensely, however, what compelled me the most was the same thing that originally drew me into IT as a career, and then into security – my own innate curiosity. I think a lot of the hacks that Mitnick carried out would have been possible by many more IT experts than the number of actual people that perpetrated them, for one reason alone. Mitnick lost his way. He’s a computer genius, no doubt. He’s a hacker – aren’t we all.? But he crossed the line. And reading about that aspect of his personality, the one that shows he didn’t know right from wrong (or should I say, didn’t seem to care as much as he should have) was what was most compelling. This is a great book. It’s as great for computer geeks as it is for non-technical people, yet I think anyone in the security business will certainly get a little extra kick out of it as it’s a real eye opener into the mind of the most experienced deception expert of all time.

InfoSec 1_14-15_Best Cybercrime & Homeland Book.indd 14

15/03/2012 08:21

RIME & HOMELAND BOOK CYBERCRIME & HOMELAND BOOK CYBE

Kingpin

Internet Searches

How One Hacker Took Over the Billion-Dollar Cybercrime Underground Reviewer: Tony Campbell Author: Kevin Poulsen Publisher: Crown Publishing Group Date of Publishing: 22/02/2011 ISBN(13): 978-0307588685 Price: £15.44, $25.00 Rating:

for Vetting, Investigations and Open-Source Intelligence Reviewer: Roy Hills Author: Edward J. Appel Publisher: CRC Press Date of Publishing: 2011 ISBN(13): 9781439827512 Price: £44.99, $69.95 Rating:

Kingpin is a security book with a difference. Written by senior Wired Magazine editor and ‘Threat Level’ blogger, Kevin Poulsen. This is the true story of the rise to criminal superpower of expert hacker, Max Butler, who singlehandedly enacted the most audacious hostile takeover of any criminal gang on the planet. However, this is not just a book on computer security; this book will appeal to anyone who enjoys a decent thriller – in fact, Poulsen’s style of writing makes this tale more exciting than most of the Clancy and Ludlum books I’ve read over the past 10 years. Kingpin reads like a novel, using plot-enriching devices, such as cliffhangers and subplots to keep the reader interested, however, what’s brilliant is the way Poulsen doesn’t skimp on the technical detail. The hacks Butler used to gain access to credit card payment systems and rival gangs’ servers, such as zero-day exploits and SQL injection attacks, are explained at code-level, but in a way that makes them accessible to the layman. Kingpin is an exciting, hardcode technothriller that takes the reader right to the heart of the identify theft and credit card cloning underworld. If you are a security expert, or a layman interested in this aspect of cybercrime, this is the book for you.

The author is a retired FBI agent and CEO of iNameCheck, which provides investigation and intelligence services. So, he’s got a lot of real-world knowledge when it comes to investigations and intelligence gathering. This comes across in the pragmatic approach he recommends and the numerous examples he cites, and it gives valuable depth to the book. The book gives a wide range of techniques and resources and emphasises the need to cross-reference and verify information. Although Google is covered, one of the strengths of this book is that it’s not just a guide on how to use Google searches to find what you need. Another strong point is the focus on a framework and methodology for searching and vetting. This includes realistic and practical advice, such as realising that no single technique will get all the information you need, the need to have a balanced view and not focus on negative details to the exclusion of others, and the necessity to spend the available time in a structured way. The author has undoubtedly many years experience in the field of investigation and intelligence, and this shows in the professional and pragmatic tone and the numerous examples. The strong points are the emphasis on a framework and methodology, and the focus on the need to verify information and make judgments.

Homeland Security Technology Challenges Reviewer: Michael Barwise Authors: Giorgio Franceschetti, Marina Grossi (eds.) Publisher: Artech House Date of Publishing: 2008 ISBN(13): 9781596932890 Price: £64.00, $95.00 Rating:

According to the preface, this book had its genesis in an international homeland security workshop held in Sorrento, Italy in 2006. We are told that five of its chapters are based on papers presented at that workshop, although it’s not clear from the text which ones these are. Indeed, the entire book is reminiscent of conference proceedings. Although all nine chapters broadly relate to the application of information technologies to homeland security and surveillance, no overall thought progression is discernible as one proceeds through the book. Instead, we have a short introductory chapter on broad homeland security concepts, seven expositions of solutions to disparate and narrowly specific technical problems, and a basic overview of the principles and terminology of IT security. The biggest gripe I have is the complete absence from this book of any social context. It’s essentially about surveillance, yet exclusively about its technical aspects. This book is an interesting, if techno-centric, collection of disparate research papers on applications of IT to surveillance and the processing of intelligence data. Although three years old and thus somewhat behind the leading edge, it could still be of value to readers with sufficient knowledge of computer science, mathematics and physics.

InfoSec 1_14-15_Best Cybercrime & Homeland Book.indd 15

15/03/2012 08:21

feature

ITING IA ARTICLES WRITING IA ARTICLES WRITING IA ARTICLES WRIT

Writing IA Articles by michael kabay

So, how can one approach writing about security? Here’s a quick rundown… • One style focuses on presenting personal opinions without worrying about external references; another includes references for substantive statements or pointers to additional explanatory material. • Some writers emphasize criticism of products, opinions, texts, articles and focus primarily on pointing out weaknesses and errors; others seem to emphasize whatever positive value they can find in their topics and references. • You can read material that uses acronyms and technical terms without definition, on the assumption that everyone reading the contributions must already be familiar with everything the writer knows; on the other hand, sometimes articles include a definition or at least an expansion of every acronym. • Occasionally, you encounter writers who use colloquialisms – often enclosed in quotation marks – and clichés such as sports terms; these articles may also include misused words and ungrammatical constructions. In contrast, other writers seem to use their spell-, grammar- and style-checkers before publishing their work.

The fundamental difference between the first examples and the later examples in each of the bullet points listed is that the bad writers focus on themselves; the good writers focus on their readers. Although opinion columns may be of value (see for example the wonderful work of luminary Bruce Schneier ()www. schneier.com), even Schneier consistently provides references to allow readers to learn about his chosen topics and to judge for themselves whether they agree with him. Expository writing is usually intended to illuminate a subject rather than exclusively to convince a reader to adopt a specific point of view. From my perspective as a columnist in operations management and security writing monthly, and weekly articles since 1986, a technical article should usually emphasize the transfer of information and stimulation of thought, not the expression of emotion. Writers should focus on helping the reader learn more about a topic and provide support for further thought about issues presented in the article.

InfoSec 1_16-17_Writing IA Articles.indd 16

15/03/2012 08:22

S WRITING IA ARTICLES WRITING IA ARTICLES WRITING IA ARTICLES

Technical writing should avoid interrupting the flow of information from the writer to the reader. Errors distract by breaking the thread of communication between writer and reader; an analogy is that errors in performing music prevent the listeners from being entranced by the composer’s creativity and drag the audience into noticing the performer. Thus mechanical errors such as misplaced modifiers, inconsistent tenses, and non-standard punctuation should be corrected before publication to avoid jarring the reader out of concentration on the topic at hand; similarly, stylistic errors such as switches from impersonal reference to the readers (“one can do A; readers should do B”) to direct address (“you are so-and-so; you must do something”) and unnecessary use of the passive voice (“the configuration changes should be completed by the operations group” vs. “the operations group should complete the configuration changes”) interfere with readers’ focus on the meaning of the text and refocus attention on the text itself. In preparing to write a technical article, writers can accumulate a wealth of information from books, refereed journals, professional publications, blogs, and personal communications. Adopting a systematic method for organizing all this information helps the writer avoid wasting time (“I know I had a reference to that somewhere!”). When writing complex text with many references, using footnotes or endnotes may be valuable for both writer and reader; no one should be numbering notes or creating bibliographies manually today: why waste time and risk errors? Products such as MS-Word, EndNote, Zotero and others let the writer focus on content and eliminate concerns about keeping reference numbers correct as they add, move or delete notes or worries about generating tables of works cited in the proper order and format. When paraphrasing written material, professionals provide clear citations to the source of the ideas or information being presented. When quoting text, professionals use quotation marks, ellipses, and square brackets to ensure that readers can distinguish the writers’ contributions or versions of ideas and the original materials being cited. The

three-dot ellipsis (...) marks a section removed from the middle of a sentence in a quotation; the four-dot ellipsis (....) marks a removed section that includes one or more sentence boundaries. Inserted words or changes in capitalization are shown in square brackets ([text]). Thus a modified quotation of this paragraph could look like this: When paraphrasing written material, professionals provide clear citations.... When quoting text, professionals use quotation marks, ellipses, and square brackets to ensure that readers can distinguish the writers’ contributions or versions of ideas and the original materials .... [and] .... [i]nserted words or changes in capitalization.... Sometimes a writer is so deeply immersed in a subject that it’s difficult to look objectively at the draft text. Writers can ask someone else to read the draft and point out ambiguities, errors, or questionable style. Ideally, the fundamental attitude of the author is that all suggestions can be evaluated unemotionally; the attitude of the reviewer is that the author is in control of her work and may accept or reject suggestions without offending the reviewer. These attitudes qualify as egoless work, a term popularized in the 1960s by Gerald M. Weinberg in his classic text, The Psychology of Computer Programming. I hope that these pointers will interest potential writers in contributing to a vibrant community of readers and writers committed to fostering thoughtful interchange of ideas.

FOR FURTHER READING For additional details on all these topics, readers may find the following resources helpful; they are works that I have written to help my students. • On Writing www.mekabay.com/methodology/ writing.pdf • Frequently Corrected Errors www.mekabay.com/methodology/fce.pdf • Organizing and Safeguarding Information on Disk www.mekabay.com/methodology/ osiod.pdf • CATA: Computer-Aided Thematic Analysis www.mekabay.com/methodology/ CATA.pdf • Tips for Using MS-WORD 2007 www.mekabay.com/methodology/ word_tips.pdf • Tracking Changes in MS-Word 2003 www.mekabay.com/methodology/ track_changes.ppt

Michael Kabay began programming computers in assembly language in 1965. He joined Norwich University in 2001, served as Program Director of the Master’s Program in Information Assurance from 2002 to 2009, and was the CTO of the School of Graduate Studies in from 2005 to 2009. Since 1986, he has published over 1300 articles in operations management and security, written a college textbook on enterprise security (McGraw-Hill, 1996), and served as Technical Editor of the 4th (2002) 5th (2009) and 6th (due 2013) editions of the Computer Security Handbook (Wiley).

InfoSec 1_16-17_Writing IA Articles.indd 17

15/03/2012 08:22

best

FORENSICS BOOK DIGITAL FORENSICS BOOK DIGITAL FORENSICS BO

Digital Evidence and Computer Crime 3rd Edition Reviewer: Detective Inspector David Perryman Qualifications: CISSP, A.Inst.IISP Subtitle: Forensic Science, Computers and the Internet Author(s): Eoghan Casey Publisher: Elsevier Date of Publishing: 2011 ISBN(13): 978-0-12-374268-1 Price: £42.99, $69.95 Rating:

Part 1 of this book covers some basic principles of language, courtroom evidence and cybercrime law. This is very much based on the American perspective, with many examples of cases from the USA, with an entire chapter dedicated to American cybercrime law. That being said, however, European law is covered in a more general way in its own chapter. For a worldwide audience, as local law is specific to the local area, it may have been better to put the American and European law study into a single shorter chapter, summarizing these areas of cybercrime law for consideration by investigators. This aim is achieved in the third chapter, which covers presentation of evidence for court, covering different judicial systems and contains a good section on the reliability of digital evidence. The second part, covers Digital Investigations, starts with descriptions of processes and scientific methods, which I found a bit dull. However, the crime scene chapter provides a sound basis for dealing with this crucial area, with particularly good use of practitioner tips. This section ends with chapters on theoretical analysis of evidence and the psychology of offending, neither of which I feel are relevant to the core subject and are better covered by other specialist publications. The next part of the book concerns Apprehending Offenders. Whilst this is

relevant to law enforcement, the details are a bit superficial to be of great value to an experienced investigator. Because of this, it may be of more use to people new to the investigation of crime and of some use for non-law-enforcement forensic investigators. An exception is the chapter on computer intrusions, which jumps into reasonable technical detail on volatile data, a subject that will be of interest to all digital forensic investigators. Part 4, Computers, is the most valuable section in the entire book, starting with a decent attempt at explaining how computers work and store data, leading to more complex and relevant descriptions in the subsequent section on file data. There is good baseline knowledge provided on forensic science and sections covering various operating systems. There is also a chapter on mobile devices, which is only available as a PDF download. The final part of the book is on Network Forensics, providing a reasonable explanation of the subject. As this is a very technical subject, I feel the author has provided the correct level of detail in relation to the target audience for the book. I think this book is aimed at a very wide range of practitioners in the digital evidence field, possibly too wide a net to encompass in such a book. However, it does make a good effort and there

FIRST

is good value for all interested parties throughout the various sections. The flow of the book suffers from an inconsistent level of detail in some of the chapters, possibly due to different contributing authors for each part. This is illustrated in the basic level of some sections, contrasted with more complex technical details in other chapters. Throughout the book there are a number of good case studies used to illustrate points, which enlivens the text. There are also details of legal cases from various legislative areas and examples of relevant situations that demonstrate the points being made. There are also a number of references to other literature and links to website URLs and tools available to assist the practitioner. Whilst there are good descriptions of the various aspects of digital evidence regarding what can be obtained and the processes required to obtain the evidence, there is not very practical advice in terms of ‘how to do’ forensics. I wonder whom the author was seeking as his real target audience? I suspect he intended to appeal to a wide range of people interested in computer crime, and the book does have a ‘something for everybody’ approach. This could be a criticism in attempting to cover such a wide range of topics where a more intensive approach to some areas may have been more beneficial for the experienced forensic examiner.

InfoSec 1_18-19_Best Digital Forensics Book.indd 18

15/03/2012 08:22

SICS BOOK DIGITAL FORENSICS BOOK DIGITAL FORENSICS BOOK DI

Android Forensics Reviewer: Sean Duignan Qualifications: M.Sc, Ph.D, CHFI, FICS, FBCS Author: Andrew Hoog Publisher: Syngress Date of Publishing: July 2011 ISBN(13): 9781597496513 Price: £42.99, $69.95 Rating: At 364 pages of content, organized over seven chapters, with a focus on the ‘practical’ – demonstrating system design, implementation, operation and investigation, for instance, through handson “experiments” – this sizable text will resonate particularly well with readers disposed to activity-centric, learning-bydoing styled narrative. A forty-page opening chapter grounds the reader in the Android space, outlining its history, its relationship with the Linux operating system, the Android Open Source Project (AOSP), and the Android market, before concluding with a brief rationalization of the need for “Android Forensics”. In brief, the author rightly acknowledges that of all the devices an individual might own, one tends to be “more honest with their Smartphone than any other person or device”. ‘Android Forensics’ provides comprehensive coverage of the Android platform, including its design, implementation, operation, investigation, and analysis. With a practical focus from the outset that includes how to acquire and install the Android SDK and build an Android Virtual Device (AVD), this text is particularly suited to those disposed to a hands-on approach to learning about the Android platform from a security and investigation perspective.

Windows Registry Forensics

Virtualization and Forensics

As an experienced security architect I’ve been reasonably familiar with the “windows registry” for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However, it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensic importance of these files. The book is not large, it only contains 206 pages, and comprises of four chapters. The first chapter defines what “registry analysis” is and then goes on to describe the windows registry and the various “hives” that constitutes the registry. It introduces the reader to the concept that almost any interaction with a Windows system will leave a trace and hence be potential forensic evidence. Chapter two describes a number of registry analysis tools, some of which the author produced. The third chapter provides case studies on analyzing the various system hives and provides examples on how to obtain various types of forensics evidence from the registry. The final chapter is very similar to the previous chapter but this focuses on tracking user activity.

The book is split into three parts, with only Part 2 being of real use to a digital forensics investigator. Part 1 contains four chapters. The first chapter describes the main categories of virtualization, the other three chapters then go onto describe in more detail server, desktop and appliance virtualization. Part 1 does provide a good summary of the technologies and products present in the market place, but it’s certainly not complete. I found it surprising that VMware’s Thinapp technology (an application virtualization product) is not mentioned at all. Part 2 contains three chapters. The first looks at how to investigate “dead” virtual environments, with the second chapter looking at live environments. The last chapter discusses how to find and image virtual environments. As far as I am concerned this is the real meat of the book, yet it is only 70 pages long. My disappointment in this book is that that I would have liked to see the details provided in other articles I’ve read on the Internet and in magazines. Part 3 concentrates on the challenges presented by virtualization and what the future may hold, especially given the rise of so-called Cloud Computing. The first chapter in Part 3 discusses the issues with demonstrating a clear chain of custody of evidence in a virtualized environment, which I did find very useful.

Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP Author: Harlan Carvey Publisher: Syngress Date of Publishing: February 2011 ISBN(13): 9781597495806 Price: £42.99, $69.25 Rating:

Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP Author(s): Diane Barrett, Greg Kipper Publisher: Syngress Date of Publishing: 29 Jun 2010 ISBN(13): 9781597495578 Price: £36.99, $59.95 Rating:

InfoSec 1_18-19_Best Digital Forensics Book.indd 19

15/03/2012 08:22

best

NCE & ISMS BOOK GOVERNANCE & ISMS BOOK GOVERNANCE & ISM

Analyzing Computer Security A Threat / Vulnerability / Countermeasure Approach: International Version Reviewer: John Hughes Qualifications: CISSP, CLAS, ISO 27001 Lead Auditor Author(s): Charles P. Pfleeger, Shari Lawrence Pfleeger Publisher: Prentice Hall/Pearson Date of Publishing: 15 July 2011 ISBN(13): 978-0-13-283940-2 Price: £46.97, $110.00 Rating:

I must declare up front that I know one of the authors very well. Chuck and I were colleagues many years ago at Trusted Information Systems. Having said that it will not in any way temper my views! I was provided with a review copy of the book, which has been updated since the original version was published in the USA The book consists of 793 pages, spread across 18 chapters. As the title says, the book is about threats, vulnerabilities and countermeasures; however, it does not have the typical structure you would expect from a book on this subject. For instance, you will not find chapters dedicated to cryptography or network security; instead, these topics are spread across chapters. Each chapter cover a particular threat, considers a number of vulnerabilities associated with that threat, and then discusses appropriate countermeasures. Some of the chapters also describe ineffective countermeasures – and of course, explain why. Let’s look at what threats and topics each chapter covers: • Chapter 1 introduces the reader to the threat-vulnerability-countermeasure paradigm. • Chapter 2 concerns itself with identification and authentication, examining such attacks as impersonation.

• Chapter 3 is primarily concerned with the “Program Flaw Leads to Security Failing” threat and hence covers systems development and design. • Chapter 4 examines the threat from malware, such as Trojans and Worms. • Chapter 5 looks at key logging. Much of this chapter considers physical security and the insider threat. • Chapter 6 looks at buffer overflow attacks and provides an excellent introduction to the subject. • Chapter 7 considers loss of data, either due to stolen laptops or lack of backups. • Chapter 8 now turns to the subject of rootkit attacks – in particular, how difficult they are to detect. • Chapter 9 looks at investigation, intrusion and compromise attacks, namely the threat of port scanning. • Chapter 10 is concerned with the attack on Wi-Fi networks and the threats due to interception. • Chapter 11 continues with the theme of interception but now looks at wiretaps. • Chapter 12 looks at the “Man in the Middle” attack and describes a number of vectors, including exploits in DNS and the web browser. • Chapter 13 examines integrity failures and forgery attacks. Fake emails are also considered in this chapter.

FIRST

• Chapter 14 covers replay attacks of various forms, including cloned RFIDs, session cookie or password replays, and session hijacking. • Chapter 15 looks at denial of service attacks, whether these are due to network flooding or resource starvations of DNS attacks. • Chapter 16 discusses data corruption, namely correctness and accuracy of information. • Chapter 17 looks at peer-to-peer file sharing (P2P) and all the associated threats and vulnerabilities associated with P2P. • Finally, Chapter 18 considers the loss of confidentiality and privacy. So what did I think of it? I believe it is the best and most comprehensive book I’ve read, providing a complete overview of threats, vulnerabilities and countermeasures. I’d recommend this for any IT architect or specialist wishing to enter the field of security architecture, as well as to anyone who already has that title and wants a good quality reference book. Whilst not aimed at the most experienced of security architects or designers, I believe it would be a valuable edition to the professional’s bookshelf. I can guarantee that I will be referring to it again in the near future.

InfoSec 1_20-21_Best Governance & ISMS Book.indd 20

15/03/2012 08:22

E & ISMS BOOK GOVERNANCE & ISMS BOOK GOVERNANCE & ISMS

Practical Risk Management for the CIO

Security Risk Management

The Security Risk Assessment Handbook

To summarise this book’s content: the first three chapters provide an “executive summary” of the rationale for risk management, the broad nature of information liabilities and the main accepted models for service delivery. Eighty pages of fundamental principles and concepts follow, by the end of which the information management landscape has been well sketch-mapped. Part three is entitled “Liabilities Management” and covers not only technical information risk but general information management, including classification, lifecycles and flows – all of which is critical knowledge if you want to achieve real security. The final part is entitled, “Putting It All Together”, and given the book’s coverage there is indeed a lot to put together. It would obviously be impossible to provide a fulldepth reference on every subject covered in the book within the scope of some 350 pages. Nevertheless, the author has done the next best thing – he’s provided a clear insight into the real-world implementation of information risk management by elegantly avoiding too many of the trees, so the wood shows up in high contrast. The greatest strength of this book is its holistic viewpoint that demonstrates how all the disparate aspects of information management actually fit together to create a robust business asset base.

This book is packed with practical tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of the subjects covered. This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. Sufficient information is provided throughout to enhance the readers understanding of each phase of the risk management lifecycle, providing practical examples and advice. In addition to identifying business risks, the book also covers various ways in which risk assessments are (or should be) undertaken (in particular for IT systems/projects) and it contains relevant case studies that are presented in simple easy-to-follow terms, which makes the book suitable for beginners and experienced professionals alike. This book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that helps refine and further improve their current skillset.

Written for “anyone who wants a more detailed understanding of how to perform a security risk assessment”, this book, now in its second edition, covers a lot of ground for its 450 or so pages: information security, physical and environmental exposures, personnel risk and business continuity. Its author, a onetime senior analyst at the NSA, is clearly highly experienced in managing very large-scale risk assessment. The presentation of the book disrupts the evolution of this reader’s thought process. Numbered and captioned sections with multiple layers of subsections (in places, six deep) break the text into individually captioned fragments sometimes as short as single paragraphs. The diagrams and tables are also separately and sequentially numbered without reference to the subsections they relate to. This book skips over many of the really essential issues, including statistical principles, heuristics and the reduction of bias and uncertainty, issues that make the difference between a security risk assessment in name only and a robust one that can be relied on. In this it is not alone – I have yet to find a security risk practitioners’ handbook that does discuss such matters adequately, but as a result I feel it is not really as complete a guide as its subtitle and the author’s undoubted expertise might have made it.

Reviewer: Michael Barwise Qualifications: BSc, CEng, CITP, MBCS Author: Mark Scherling Publisher: CRC Press, Boca Raton, USA Date of Publishing: 2011 ISBN(13): 9781439856536 Price: £49.99, $79.95 Rating:

Reviewer: John Bennett Qualifications: CLAS, ITPC, IISP Author: Evan Wheeler Publisher: Syngress Date of Publishing: 24 Jun 2011 ISBN: 9781597496155 Price: £30.99 $49.95 Rating:

Reviewer: Michael Barwise Qualifications: BSc, CEng, CITP, MBCS Author: Douglas J. Landoll Publisher: CRC Press, Boca Raton, USA Date of Publishing: 2011 ISBN(13): 9781439821480 Price: £48.99, $79.95 Rating:

InfoSec 1_20-21_Best Governance & ISMS Book.indd 21

15/03/2012 08:22

best

N TESTING BOOK HACKING & PEN TESTING BOOK HACKING & PEN

Metasploit The Penetration Tester’s Guide Reviewer: Liam Romanis Author: David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni Publisher: No Starch Press Date of Publishing: 2011 ISBN(13): 978-1-59327-288-3 Price (US&CA): $49.95, $57.95 Rating:

There are 17 Chapters in this book, which cover all aspects of the use of Metasploit and how this tool can be used in Penetration Testing. Chapter 1: The Absolute Basics of Penetration Testing. This section briefly covers some very basic terms and the general phases of a Penetration Test. Chapter 2: Metasploit Basics. This section covers some general Metasploit terms and methods of using the Metasploit Framework. Chapter 3: Intelligence Gathering. This chapter covers basic information gathering techniques including the extraction of information from whois and DNS, as well as port scanning. Chapter 4: Vulnerability Scanning. This section covers the use of automated vulnerability scanners and some of the auxiliary tools that can be used to scan for particular issues. Chapter 5: The Joy of Exploitation. This chapter details the use of individual Metasploit exploits and the basic use of very useful payloads. Chapter 6: Meterpreter. Here is where the author delves deeper into the use of Meterpreter. Chapter 7: Avoiding Detection. This section covers the various methods for modifying or encoding payloads so that ‘On-Demand’ anti-virus scanners don’t detect your scans.

Chapter 8: Exploitation Using Client-Side Attacks. This chapter covers how browser exploits work (generally) including key terms such as ‘heap spraying’ and ‘NOP Sleds’. Chapter 9: Metasploit Auxiliary Modules. This section discusses the use and usefulness of Auxiliary Modules. Chapters 10, 11 & 12: I found these sections particularly interesting, as I had not used any of the tools discussed before. I looked at all three in conjunction with these chapters and I could see how useful they could be in future tests. Chapter 10: The Social-Engineer Toolkit. This section delves into a lot of details regarding the use of the Social-Engineer Toolkit (SET), which relies heavily on the Metasploit Framework. Chapter 11: Fast-Track. This section goes into a lot of detail regarding the use of the Fast-Track which adds to and complements the Metasploit Framework. Chapter 12: Karmetasploit. This section covers well the use of the Karmetasploit, which adds the functions of the KARMA toolkit for testing Wireless Networks to the Metasploit Framework. Chapter 13: Building Your Own Module. This chapter is dedicated to developing modules for the Metasploit Framework. Chapter 14: Creating You Own Exploits. This chapter is dedicated to developing exploit code for the Metasploit Framework.

FIRST Chapter 15: Porting Exploits to the Metasploit Framework. This chapter focuses on describing for the reader how to take an existing exploit and ‘port’ it to the Metasploit Framework. It uses two different examples in order to describe the conversion of different types of exploit. Chapter 16: Meterpreter Scripting. This chapter focusses on methods for adding additional functionality to Meterpreter sessions. The old method is discussed alongside the use of the Meterpreter API and takes the reader through an example. Chapter 17: Simulated Penetration Test. This chapter takes the reader through the use of Metasploitable, which is a vulnerable distribution designed for practicing some of the main techniques for using Metasploit in a penetration test. Part of the raison d’être for this book is to reveal how rich and powerful the Metasploit Framework is. In this aspect, the book definitely succeeds. It would also provide most readers with the knowledge and techniques required to exploit this powerful tool to their advantage. Whilst seasoned penetration testers will already have a lot of knowledge regarding the use of Metasploit, there may be some key methods and concepts covered in this book which may prove to be of use. For those who have less experience of Metasploit, this book may prove invaluable.

InfoSec 1_22-23_Best Hacking & Pen Testing Book.indd 22

15/03/2012 08:22

G & PEN TESTING BOOK HACKING & PEN TESTING BOOK HACKING

The Basics of Hacking and Penetration Testing

Web Application Obfuscation

Managed Code Rootkits

This book clearly explains the differences between vulnerability scanning and penetration testing and accurately points out that both security people and vendors often incorrectly use these terms interchangeably. The reader is then introduced to a specialist Linux distribution called ‘BackTrack’, which provides a plethora of penetration-testing tools in a graphical menu-driven format. The author gives full details of how to obtain the latest release of this distribution and even recommends a number of Virtual Machine (VM) applications to host it. Since some aspects of penetration testing can be destructive, the setting up of a ‘Hacking Lab’ is advocated in order to constrain all testing to a secure environment. Although this book is ideal for beginners, most security professionals will have been involved with penetration testing during some point in their career. This book is thus an excellent refresher for those of us who fondly recall Nmap, Nessus and Netcat as being the tools of choice for both whitehat and blackhat hackers, but have long-since forgotten the full command-line syntax and would benefit from a refresh. Patrick Engebretson gets the reader involved in the art of hacking from page one and makes this book a fascinating and productive read.

Web Application Obfuscation is 275 pages long and consists of 10 chapters. Chapter one introduces the subject and provides a good introduction to regular expressions. Chapter two goes on to provide an overview and history of HTML and then describes how to obfuscate markup languages. Chapter three delves into JavaScript and VBScript. Chapter four looks at non-alphanumeric JavaScript; how to write the most obscure and obfuscated JavaScript possible. Chapter five goes on to examine CSS (cascading style sheets). Chapter six examines PHP and describes how to perform string obfuscation. Chapter seven goes on to look at SQL and demonstrates obfuscation techniques and how they could be used in database injection attacks. Chapter eight discusses WAFS and client-side filters (or rather, how they can be bypassed). In Chapter 9 the authors describe how some of the attacks can be protected (note the use of the word ‘some’). Chapter 10 concludes this amazing book by analyzing future developments. This is a deep technical read and anyone buying it should have a solid understanding of web technologies and some experience of web programming. I would say it is targeted at penetration testers and security architects, but to the security generalist it also opens up new frontiers when it comes to designing for security.

The book is just over 300 pages in length and is well structured with 10 chapters divided into four logical Parts. Overall the book is very well structured and presented in a way that maintains the reader’s interest, as the author delves ever deeper into why hackers use MCRs to target an organisation’s applications. Continuity of the content is maintained by helpful summaries at the end of each chapter. Although a page of terminology is provided early in the book, it does not cater for the wealth of acronyms and esoteric terms. If I had one criticism, therefore, it would be the lack of a comprehensive glossary. Despite this single omission, Mr Metula is a consummate and talented security practitioner who knows his subject thoroughly. I consider this book to be excellent value for money and would recommend it to any security professional. In today’s austere economic climate, modern IT solutions are being sought that are proven value for money. The use of virtual servers is rapidly increasing as they provide better utilisation and increased productivity of existing resources. This book highlights the risks of adopting such technology and provides valuable advice on countermeasures to mitigate those risks.

Reviewer: Malcolm McKeating Qualifications: CLAS, CISM, CISA Author(s): Patrick Engebretson Publisher: Syngress Date of Publishing: August 2011 ISBN(13): 9781597496551 Price: £13.20, $18.23 Rating:

Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP Authors: Mario Heiderich et al Publisher: Syngress Date of Publishing: December 2010 ISBN(13): 9781597496049 Price: £30.99, $49.95 Rating:

Reviewer: Malcolm McKeating Qualifications: CLAS, CISM, CISA Author: Erez Metula Publisher: Syngress Date of Publishing: November 2010 ISBN(13): 9781597495745 Price (UK&US): £26.34, $33.41 Rating:

InfoSec 1_22-23_Best Hacking & Pen Testing Book.indd 23

15/03/2012 08:22

InfoSec 1_24_Ad.indd 24

10/03/2012 10:10

editorial

L EDITORIAL EDITORIAL EDITORIAL EDITORIAL EDITORIAL EDITORIAL The following article is taken from the InfoSecReviews.com weekly perception column, written by our very own Mich Kabay. We’ve decided to republish it here for your enjoyment as this particular article has a lot of great feedback.

All We Want Are The Facts, Ma’am Has anyone ever muttered, “Just the facts” to you and explained that it was a catch-phrase used by Jack Webb in his character as Sergeant Joe Friday in the 1950s television series, Dragnet?

Snopes You may know that a good source for checking such a claim is Snopes, which publishes careful analysis of all manner of information circulating in the popular culture, including through chain e-mail letters. Authors Barbara and David Mikkelson write that Joe Friday never said “Just the facts” he used to say “All we want are the facts, ma’am” or “All we know are the facts, ma’am.” The truncated version was invented by satirist Stan Freburg in a spoof called “Little Blue Riding Hood” recorded in 1953. The question of why he would say this primarily to women is left as a discussion for sociologists and historians interested in sexism of the1950s.

Urban Myths The Urban Myths website differs from Snopes in appearance and focus, with bizarre photos and rude headlines such as “Americans Are Becoming Even Bigger Jerks Than Ever Before” and “How a Really Dumbass Publicity Stunt Broke Casey Afleck and May Still Destroy Joaquin Phoenix’s Career.” The contributors seem to be fascinated by bizarre and disgusting hoaxes and by true and horrifying bizarre stories. If you can stand being offended, the site may prove useful, but be prepared for insulting attacks on specific politicians using language suitable for a movie about teenaged prison inmates.

Vmyths For information debunking “computer security hysteria,” the Vmyths site edited by Rob Rosenberger and George C. Smith, PhD, who have steadfastly countered advertising hyperbole and misinformation about antimalware products for more than two decades. They and their colleagues dissect news stories that misrepresent the role of malware and make unsubstantiated claims and predictions about cyber warfare and the end of the world through attacks on computers. These are intelligent contrarians who challenge accepted wisdom by demanding clear reasoning and factual support in all writing but especially in alarming writing.

What about Politics? All right then: Snopes and Urban Myths help us debunk fairy stories circulated by uncritical correspondents who forward anything scandalous or outrageous without bothering to check the facts and Vmyths fights hoaxes about malware. But where do we look for thorough, professional, unbiased analysis of recent statements from our politicians and political candidates?

Politifacts In the United States (US), the PolitiFact is the Snopes of politics. In her description of the origin and management of Politifact, Angie Drobnic Holan explains that “PolitiFact is a project of the St. Petersburg Times and its partner news organizations to help you find the truth in American politics.” Strictly non-partisan, the 2009 Pulitzer Prize Winner has expanded its resources by partnering with other news organizations across the US. The group has “received money from the Knight Foundation, Craigslist Charitable Fund, and the Collins Center for Public Policy.” Politifact published an amusing analysis of politically oriented chain letters circulating through e-mail in recent months. The story was picked up by US National Public Radio on the Morning Edition show for Nov 23, 2011; the transcript includes a podcast of the six minute report.

FactCheck Another helpful resource for checking on political e-mail messages in the US is FactCheck, which is “A Project of the Annenberg Public Policy Center.” The organization describes itself as “a nonpartisan, nonprofit “consumer advocate” for voters that aims to reduce the level of deception and confusion in U.S. politics. We monitor the factual accuracy of what is said by major U.S. political players in the form of TV ads, debates, speeches, interviews and news releases. Our goal is to apply the best practices of both journalism and scholarship, and to increase public knowledge and understanding.” It is funded through grants from foundations and public donations but states that “We do not seek and have never accepted, directly or indirectly, any funds from corporations, unions, partisan organizations or advocacy groups.” In the United Kingdom, The FactCheck Blog from Channel 4 News “goes behind the spin to dig out the truth and separate political fact from fiction;” it has archives dating back to June 2008. The “about” page states that the group has “won an award for statistical excellence in journalism, been cited in parliament and received a sack of email correspondence from readers, some very complimentary, some less so.”

Key indicators that a message is a hoax • Use of exclamation marks and in particular, multiple exclamation marks (no official warning uses them)!!!!!; • Use of lots of UPPERCASE TEXT (typical of youngsters trying to EMPHASIZE points); • Misspellings and bad grammar (typical of non-English speaking foreign phishers); • No date of origination or expiration; • Use of “yesterday,” “last week,” and “recently” with no way to tell what period these descriptions refer to; • References to official-sounding sources or websites (e.g., MICROSOFT, CIAC, CERT) but no specific URL for details (nobody can legitimately cite Microsoft as the source for a warning that hard disks will explode unless you give the sender your credit-card number); • No valid digital signature from a known security organization; • Requests to circulate widely.

InfoSec 1_25_Editorial 2.indd 25

16/03/2012 09:10

best

SECURITY BOOK INFORMATION SECURITY BOOK INFORMATION

Computer Security Handbook, 5th Edition Reviewer: Dave Raimbach Qualifications: CISSP, ISO 27001 Foundation Author(s): Seymour Bosworth, M.E. Kabay, Eric Whyne Publisher: Wiley Date of Publishing: 10th March 2009 ISBN(13): 9780471716525 Price: £150, $220.95 Rating:

Three inches thick, eight parts, 77 chapters, and 2040 pages – this is a significant reference manual! From the first edition in 1973, when it had 12 chapters and 162 pages, to the current version, it has certainly been on steroids. Since the last edition, published in 2002, there are 23 new chapters across 900 pages! And what’s great about this book is that the contributors (and particularly the three main authors) are all well-known, experienced individuals in their own fields. I wasn’t able to read the whole book in one extended sitting due to its size. It’s a handbook, anyway, and is meant more as a reference. In conducing this review I have chosen three chapters by three different authors as being representative of the book as a whole: 1.Chapter 15 – Penetrating Computer Systems and Networks 2.Chapter 27 – Intrusion Detection and Intrusion Prevention Devices 3.Chapter 55 – Cyber Investigation Penetrating Computer Systems and Networks: this chapter is 36 pages of interesting, readable, quality material. Right from the get go it is recognized that there are “Multiple factors involved in system penetration,” and that human behavior can defeat just about any security measure. The

chapter is divided into four main areas, including non-technical and technical security measures, and also considers political and legal issues. The chapter includes an interesting section about the history of penetration testing, starting way back in 1993 with the publication of, “Improving the Security of Your Site by Breaking into it.” Intrusion Detection and Intrusion Prevention Devices: a shorter chapter, at just 16 pages, it nonetheless addresses a number of interesting topics. Intrusion detection and prevention are described to a good level of detail along with where they fit within the overall topic of security management. Intrusions are defined as, “violations of security policy,” and characterized as, “attempts to affect the confidentiality, integrity or availability of a computer or network.” This chapter covers a brief history of IDS and IPS systems, from as early as the 70s and 80s, and the early works on audit, originating from the mid 50s. Much of this early work was funded by the US military. The next section addresses the main concepts of intrusion detection (and then prevention) including information sources (or event generators), the analysis engine, and then the response. Cyber Investigation: this chapter has 26 pages. The introduction to this topic highlights that cyber investigation (or

FIRST

digital investigation), as a relatively new discipline, has made huge advances over the last 15 years. Cyber investigation is now a discipline in its own right, accepted across the entire IT, law enforcement and forensic science communities. Cyber investigation is described here in terms of a taxonomy that was developed and accepted by the DFRWS (the Digital Forensics Research Workshop). The chapter steps through the framework and describes the Identification, Preservation, Collection, Examination, Analysis, and Presentation and describes each of the classes in more detail. The practicalities of an end-to-end digital investigation (EEDI) are presented in nine steps, each of which is formally defined. As with previous editions of this book, the final chapter is written by a guest security luminary – in this edition it is Dr. Peter G. Neumann who has contributed, “The Future of Information Assurance.” This book will appeal to students, practitioners and researchers alike, and those concerned with computer and network security will greatly benefit from this handbook. The 5th edition of the book has grown considerably from the last version and even with its substantial price tag still represents considerable value. It is a major source of information, which I will be happy to have on my bookshelf!

InfoSec 1_26-27_Best Information Security Book.indd 26

15/03/2012 08:23

ATION SECURITY BOOK INFORMATION SECURITY BOOK INFORMA

Keeping Your Data Secure

The Essential guide to Home Computer Security

Information Security

This book bills itself as “101 Tips You Must Know” and it will come as no surprise that these are quite simply the distilled basics of good practice around maintaining secure data, systems and network. Particularly, at the smaller end of this size spectrum, the IT Admin role is often not a formal role, and the person doing it is frequently what Gibbs describes as a “well-meaning part-timer”, i.e. the employee who happens to know most about IT and hence picks up the IT jobs, with probably no knowledge of basic IT security. It is these kind of organisation that often have little understanding of the risks their systems and data are exposed to via the Internet, as well as other means, or of how to mitigate these risks. If you run a small business, or are the IT person in one (or maybe just have a computer with personal data and an Internet connection) this book is an excellent starting point to find out about general security principles and begin to get on the right track. This is a terrific little book for the Director or IT person in a small business or similar organisation. A collection of easy-to-understand basic security actions, indicating their costs and benefits, it is worth every penny to help start addressing the non-IT professional’s “unknown unknowns” around IT security.

It would be possible to read this book through in a single session, but I suspect most readers will read it in stages, possibly one chapter at a time, and then refer back when required. The chapters cover areas that I would suspect all readers would want to cover, even if they are not looking to gain the knowledge to carry out technical operations themselves. For example, the chapter that looks at viruses and other malignant software discusses sourcing and installing anti-virus software but doesn’t give specific direction on how to install the software, preferring, quite rightly in my opinion, to suggest this information will be provided by the vendor. This permits this essential advice to retain additional relevance and longevity than a step-by-step guide to specific products; so avoiding confusion between the advice of the vendor and the author. It also allows for the greatest focus to be on understanding the nature of the threats, how they attack and how to recognize them. I would have no hesitation in recommending this book to the educated computer user who is concerned with their ignorance with regard to information security. It is well written and nicely paced and gives good insight into the perils of home computer use, while respecting that the reader is not a technical user and probably doesn’t want to become one.

The fact that this book includes no fewer than 500 ‘homework’ problems, a bibliography with over 300 entries, and an appendix that includes a section on ‘Math Essentials’ clearly indicates the nature of its intended readership. Professor Stamp expresses the hope that his book will also be a useful resource for working IT professionals and this review is being written from that standpoint. Certainly, the Information Security Manager hoping for guidance on how to establish a robust ISMS (perhaps in order to gain ISO/IEC 27001 certification) will need to look elsewhere. The book is divided into four main themes: Cryptography; Access Control; Protocols and Software. The section on Cryptography, which is by far the longest, covers the topic in a sensible order, moving from the basics through Symmetric Key crypto, to the development of Public Key techniques and advanced cryptanalysis. The mathematical basis of the techniques described is also well covered, with helpful simplifications being clearly indicated. However, the approach is suitably rigorous where it needs to be, for example, when distinguishing cryptographic hash functions from looser uses of the term ‘hashing’. As far as specifics are concerned, the text includes a description of RC4, DES, Triple DES, RSA, AES, Diffie-Hellman (for key exchange) and the Elliptic Curve (ECC) domain.

Reviewer: Richard Weatherill Qualifications: MBCS, CITP, CLAS Author: Stephen Gibbs Publisher: Snappy Titles Date of Publishing: 2011 ISBN(13): 9780956816504 Price: £13.99/ $24.99 Rating:

Reviewer: Wendy Goucher Qualifications: BA (hons) Author: Robert R. Rowlingson Publisher: British Informatics Society Ltd. Date of Publishing: 2011 ISBN(13): 9781906124694 Price: £14.24 $24.99 Rating:

Reviewer: Richard Weatherill Qualifications: MBCS, CITP, CLAS Author: Mark Stamp Publisher: Wiley Date of Publishing: 2011 ISBN(13): 9780470626399 Price: £73.50, $110.00 Rating:

InfoSec 1_26-27_Best Information Security Book.indd 27

15/03/2012 08:23

feature

GRESS SYNGRESS SYNGRESS SYNGRESS SYNGRESS SYNGRESS SYN

Ask… the Publisher Syngress, the commercial infosec publisher owned by academic giant, Elsevier, is by far the most prolific information security publisher around, producing a broad spectrum of highquality books in all the major subject areas required by the information security professional (from digital forensics to hacking, to physical security and risk management). The following interview is with Chris Katsaropoulos, one of Syngress’s most senior acquisition editors, who offers us some interesting insights into information security publishing, as well as some guidance to budding authors as to what they are looking for over the coming year. You have a variety of subject areas you publish in, such as digital forensics, certification and hacking. In which subject do you sell the most books?

We sell the most books in digital forensics, followed closely by hacking and penetration testing.

12. In addition to those, we’re seeing lots of new titles on analyzing human and social aspects of security threats.

As the publisher with the widest range of books in this profession, have you noticed any trends in the last 5 years? We have noticed a shift towards publishing more conceptual books that teach readers about the methodologies used in a particular area. Tools and threats change rapidly; deeper conceptual understanding can be applied using a wide range of tools.

We have noticed that you have published quite a few books on Cloud and Virtualisation in the past two years. What drove you to publish so many books on these subjects? As so much data is moving to the cloud, it has become a key area for information security and threat management.

What do you believe will be the trend in the next year or two and are there any new “hot” topics on which you will be publishing books? We’re looking to publish several new titles on Android and iPhone hacking and threats, as well as new titles on Windows

In certain areas information security is a fast changing area; particularly concerning products. How do make sure your books are published in a timely manner? We have a very fast editorial and production process, which is very streamlined, using electronic editing and page layout techniques, while ensuring thorough technical review of the books.

InfoSec 1_28-29_Syngress.indd 28

15/03/2012 08:24

ESS SYNGRESS SYNGRESS SYNGRESS SYNGRESS SYNGRESS SYNG

We typically publish a book within four months of receiving the final manuscript from the author. How are e-books impacting your business? Do you see a point in time when you will sell only e-books? We are seeing ever-growing demand for ebooks, and we view this as simply an additional format for delivering our content to our readers. That said, we continue to receive comments from our readers and reviewers saying they prefer to read their books in print, and we will continue to support both print and ebook formats for the foreseeable future. What criteria do you have in selecting a subject for a book? We look for topics that are current and also topics that have a relatively broad appeal. We strive to provide the most up-to-date

We continue to receive comments from our readers and reviewers saying they prefer to read their books in print, and we will continue to support both print and ebook formats for the foreseeable future information on topics that are of most use to the infosec community, and to provide hands-on, applied techniques written by the top professionals in the field. What do you look for in a writer, and what advice would you give them? We look for writers who have a great deal of experience in the industry, often with name recognition as speakers at conferences, such as RSA and Defcon. We

also look for insight from the writer with a unique and fresh perspective on the topic in his or her book proposal. If someone is interested in writing a book, how should they contact you? We always welcome new book proposals â&#x20AC;&#x201C; our authors have the best understanding of whatâ&#x20AC;&#x2122;s happening in the field. Authors can contact me with new book proposals at chris.k@elsevier.com

InfoSec 1_28-29_Syngress.indd 29

15/03/2012 08:24

interview

MICHAL ZALEWSKI MICHAL ZALEWSKI MICHAL ZALEWSKI MICHAL ZA Michal Zalewski is a long-standing computer security geek with a secret crush on robotics (http://lcamtuf. coredump.cx/robot/). He took his first baby steps in the field of information security way back in the glorious mid90s, and since then he’s made a fair number of contributions to vulnerability research and software security. Michal is the author of two information security related titles: Silence on the Wire (2005) and The Tangled Web (2011). Michal, you are obviously very passionate about information security, how did you get interested in this subject? Oh, it started the usual way: for as long as I can recall, I had this fascination with electronics, computers, and simply figuring out how things work. I learned the basics of programming on an 8-bit computer long before seeing my first video game, and that probably helped guide my interests to some extent. For a while, I tried my luck as a software developer, with not much to show for. I eventually found out that I fared much better picking apart the reasoning of others – and coming up with ways to fix the resulting mess. I published some of my findings on industry-wide mailing lists, got noticed, and landed my first infosec job. I’m afraid I don’t have a secret recipe to share: as with so many other things in life, a combination of persistence and luck always played a role for me. I don’t think I’m particularly clever in what I do, but the sustained passion and the desire to keep learning definitely helped me through the years. It sometimes takes effort to sustain and cultivate this “hacker” spirit – but by the end of the day, it tends to pay off. When did you get the idea for writing your book The Tangled Web – A guide to Securing Modern Web Applications? How long did it take to write? The idea came up somewhere in 2008. I realized that there is an insane number of books on web security out there, but that all of them are very much alike: they regurgitate the same list of common web vulnerabilities, yet do very little to equip the reader to deal with contemporary, incredibly complex web apps. Alas, in the end, it does not matter how many OWASP-

mandated flavours of XSS you can name: if you don’t understand the subtleties of the same origin policy, the frame navigation rules, or some of the finer aspects of resource inclusion and content sniffing, you probably will not be able to survive. The Tangled Web is essentially an attempt to fix that problem, and present an accurate, detailed, and engaging account of the security landscape that web applications need to live in. Oddly enough, I think it’s the first book to ever entertain that thought. There are several years of on-and-off research behind TTW, but the actual writing process did not take long: probably around 10 months. Was there a particular topic or chapter you found difficult to write? Some of the seemingly unassuming chapters – such as the one on HTTP – took a fair amount of effort to structure sensibly: there is a remarkable breadth of information we needed to cover, and we spent quite a bit of time trying to strike the right balance between brevity, depth, and maintaining a consistent, engaging narrative. How do you think the threats to web sites have changed over the last 5 years? Is there a particular trend? I do not think there is a strong qualitative difference: the web is clearly gaining prominence as the attack surface, and there are interesting trends in commerciallyor politically-driven exploitation on a large scale. Yet, the problems we have to deal

with, however, remain stubbornly the same. Cross-site scripting and SQL injection are not going away any time soon. Are there any emerging new threats that we should start worrying about? There are several broad areas of concern that the industry at large chooses to ignore – not out of spite, but out of necessity. For as long as there are more primitive attack venues (e.g., phishing) that can be exploited with remarkable success, there is probably no point in tackling some of the more nuanced challenges. That said, we devote a good part of The Tangled Web to reviewing the future challenges the web may be facing in the coming years: problems such as UI timing (Chapter 14) may emerge as a prominent threat in the not-too-distant future. If there was one piece of advice you could give to an organisation developing a new web site, what would it be? Regrettably, there are no silver bullets – and you should beware of strangers who offer you one. It’s a topic we cover in the introduction to the book, and the conclusion is that for time being, there is simply no substitute for street smarts: if you don’t have clued engineers, and someone who is passionate about information security, there are things you will learn the hard way. With different vulnerabilities and threat vector emerging all the time do you plan to produce a new version in the future? Quite likely.

InfoSec 1_30_Author Interview 2.indd 30

15/03/2012 08:24

InfoSec 1_31_Ad.indd 31

10/03/2012 10:13

best

SECURITY BOOK NETWORKING SECURITY BOOK NETWORKING S

Practical Packet Analysis Using Wireshark to Solve Real-World Network Problems 2nd Edition Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP, ISO27001 Lead Auditor, GCFE, MBCS Author(s): Chris Sanders Publisher: NO STARCH PRESS Date of Publishing: 8 July 2011 ISBN(13): 978-1593272661 Price: £39.49, $49.95 Rating:

I have to admit upfront, I’m a huge Wireshark and have been using it for a long time. In fact, it seems to have ruled my life over the last three years on a particular project I’m working on. Frequently, I am called in to fire up Wireshark to investigate some interoperability issues, or even to prove a particular connection is secure (or insecure). So, when I was asked to review this second edition I jumped at the chance. The book is not large: 255 pages and consists of 11 chapters. Chapter 1 sets the scene, defining some terms and basic networking as well as explaining why “packet sniffing” is so useful (and powerful). It also provides some selection criteria on how to chose a sniffer, although all the examples in the book are based on the freely available Wireshark. Chapter 2 examines the decisions to be made as to where to locate the network sniffer, whether it is in a hub, switched or routed environment. Chapter 3 introduces the reader to Wireshark providing a brief history (including its predecessor, Ethereal). The chapter explains how to install Wireshark as well as some basics of settings the preferences. Chapter 4 describes how to work with captured packets, such as saving and opening captures and setting capture options

and filters. It provides some very useful explanations of the capture and display filters – which in the real-world environment are essential. Chapter 5 goes on to describe some of the more advanced Wireshark features. These include: viewing network and networking conversations; protocol statistics; and following TCP streams. Chapter 6 provides the reader with a good overview of the “base” protocols any network investigator needs to understand, namely: ARP, IP, TCP, UDP and ICMP. Chapter 7 then goes on to describe a number of upper layer protocols that one would normally come across; DHCP, DNS and HTTP. As with the lower level protocols, these protocols should be understood by an investigator. For each protocol, the author describes the protocol in detail then shows us exactly what it will look like in Wireshark using decent resolution screenshots. Chapter 8 provides a number of real-world scenarios, social networking and ESPN. Although I have to say most of my real-world situations, at least within an organization, seems to revolve around HTTP, SSL and LDAP. Chapter 9 describes the issues of a “slow network” when retransmission becomes an issue. Chapter 10 considers the use of Wireshark for security purposes, including reconnaissance and exploitation. This includes using Wireshark to quickly look

FIRST for SYN attacks as well as for open TCP ports. It also provides some information about being able to fingerprint target computers, although of course tools such as Nmap would normally be used for such an activity. There is also a very interesting section describing how a user of Wireshark can look for ARP Cache poisoning attacks. The final chapter examines the world of wireless sniffing, looking at both the Windows and Linux world. Quite righty, the book explains that for most Windows environments you will not be able to sniff wireless networks unless you purchase AirPcap. Whilst the book did not teach me anything new, I did rather enjoy reading it. It is well written and an excellent introduction to the art of network sniffing and the use of Wireshark. Many of the examples it provides throughout the book can be downloaded as Wireshark capture files and viewed by the reader. In the future, rather than giving my colleagues a quick training course of Wireshark, I think I will just point them to this book. Practical Packet Analysis is an excellent introduction to the world of network sniffing. I would recommend it to anyone wishing to enter this world. Not only is it a gentle introduction, it also allows the reader to start on the road of mastering the subject.

InfoSec 1_32-33_Best Networking Security Book.indd 32

15/03/2012 08:24

KING SECURITY BOOK NETWORKING SECURITY BOOK NETWORK

Network Flow Analysis

Network Security Auditing

SSL and TLS Theory and Practice

Network Flow Analysis is a superbly written dive into network flow data analysis, from building the collection system to analyzing the data. In a slim, 189 pages, Michael Lucas covers the subject concisely and at impressive depth. Lesser authors might easily have expended twice as many pages to cover the subject half as well. Lucas’s smattering of “bastard operator from hell” humor, along with his knack for getting quickly to the point, keeps some highly-technical content from becoming overly dry. Lucas begins by describing the general problems that analysis of flow data can help to solve, including its ability to help with that most fundamental of network administration problems: our “abiding and passionate desire for our users to shut up.” He then explains what network flow is, provides a brief history of the technology, and describes, in stepwise fashion, how to implement an open source flow monitoring system using softflowd and flow-tools. Regardless of its few flaws, Network Flow Analysis still lives up to and exceeds most expectations. Readers will learn how to use the selected tools to deploy a flow monitoring architecture and analyze the resulting data. But even those who already have a system in place, be it open-source or commercial, can still find value in Lucas’s beginning-to-end presentation of network flow.

This book (whilst being very informative and well written) clearly has a bias towards the US market and this factor is likely to frustrate those readers from elsewhere in the world. In addition, there is an assumption (for much of the technical content) that readers are using (or are going to be using), Cisco hardware/software to the exclusion of all other products. Whilst accepting that Cisco products are popular (and this is written by Cisco Press), by focusing almost entirely on this range of networking products (to the exclusion of all other manufacturers) it has the potential to limit the readership further. This would be a shame as this book provides a very good reference for IT networking professionals. The use of both commercial and open source tools to assist in auditing and validating security policy assumptions is covered well. There is also sufficient information provided to assist the reader help create, define and construct relevant policies in support of the technical information provided within. Despite the very obvious Cisco slant, Network Security Auditing provides a detailed, technical, auditing reference with respect to Information Security. It provides the reader with detailed diagrams and screenshots in support of the technical information and comprehensive checklists.

I’ve had a long “love affair” with SSL/TLS in its various guises – all the way from the early days when it was an emerging technology from Netscape. I’ve lost count of the number of times I’ve used a network sniffer (especially Ethereal/ Wireshark) to investigate issues with SSL/ TLS, including incorrect implementation of the standard. One of the most thumbed books in my library is SSL and TLS Essentials, written by Stephen Thomas and published by Wiley (a book I treasure as it was signed by the author, who I worked with a long time ago). So, when I was asked to review this book, the standard I was comparing it against was that Wiley book. So, is the book worth buying (compared to the Wiley book)? In general, I would say yes. The Wiley book was written just as TLS was emerging and certainly doesn’t cover TLS 1.1 or TLS 1.2. So, if you want an up-to-date-book on the subject then this would be a good book to buy. However, the book is not without its weaknesses. At £60.00 this is quite an expensive manual, but if you are someone who needs to become familiar with SSL/TLS and struggle to understand the IETF RFC standards, then this is a book you should consider purchasing; it is targeted at anyone going to implement SSL/TLS based services and Security Architects.

Reviewer: Gregory Pendergast Qualifications: GCWN, GSEC, CISSP Author: Michael W. Lucas Publisher: No Starch Press Date of Publishing: June 2010 ISBN(13): 9781593272036 Price: £31.49, $39.95 Rating:

Reviewer: John Bennett Qualifications: ISO27001 Lead Auditor Author: Chris Jackson Publisher: Cisco Press Date of Publishing: June 2010 ISBN(13): 9781587053528 Price: £50.00, $70.00 Rating:

Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP Author: Rolf Oppliger Publisher: Artech House Date of Publishing: Oct 2009 ISBN(13): 9781596934474 Price: £60.00, $89.00 Rating:

InfoSec 1_32-33_Best Networking Security Book.indd 33

15/03/2012 08:24

best

STRATION BOOK SYSTEMS ADMINISTRATION BOOK SYSTEMS ADM

Thor’s Microsoft Security Bible A collection of Practical Security Techniques Reviewer: Michael Hughes Qualifications: CISSP, CISM, CLAS, ISO 27001 Lead Auditor, AST Author(s): Timothy “Thor” Mullen Publisher: Syngress Date of Publishing: 2011 ISBN(13): 978-1-59749-572-1 Price: £36.99 $59.95 Rating:

FIRST

I have been involved in security for over 30 years, starting in physical security and then moving into IT Security, having worked in a number of different environments, from SMEs to large data centres, I have always had an interest in the different views of security and the variety of methods for increasing the security of servers and the general infrastructure. The book is a reasonable size and consists of 399 pages across seven chapters. There is no logical flow through the book as each chapter is effectively standalone, dealing with each specific topic. The book is a good solid reference guide and probably not something you would sit down and read cover to cover, unless you want to implement all of the topics covered; saying that, however, it is an excellent reference for configuring and/or implementing the specific security solutions covered. Thor’s Microsoft Security Bible goes into a good level of detail of the different aspects of security, including communications and system hardening; even though it assumes that the OS is already hardened. There are good examples provided throughout and the author has supplied a large number of screen shots and code examples that allows him to walk the reader through

There are good examples provided throughout and the author has supplied a large number of screen shots and code examples that allows him to walk the reader through the configuration – this is especially useful if you are looking to implement the solution described in the book the configuration – this is especially useful if you are looking to implement the solution described in the book. The advice provided in this book is of the highest quality and, even if the reader does not want to follow the whole solution laid out in a chapter, it is possible to mix and match with other items covered in different chapters. For me, the key chapter was the last one on securing RDP as this is something that nearly all organisations now use, and therefore it is vitally important it is secure. Accompanying this book, the publisher has supplied a DVD containing a variety of useful applications, which, while

not having tried them all myself, they certainly look interesting and I am sure I will have a closer look in the near future. This book is aimed at technical, security and non-security professionals alike, used to bolster their security knowledge and to allow them to harden services that are often reliant on general OS hardening and firewalls. The book offers detailed descriptions on how to provide secure infrastructure services, such as SQL, as a leastprivileged account, and therefore offers system engineers a guide to bolstering their system’s security posture as much as is possible.

InfoSec 1_34-35_Best Systems Admin Book.indd 34

15/03/2012 08:25

MS ADMINISTRATION BOOK SYSTEMS ADMINISTRATION BOOK SYST

Microsoft Windows Security Essentials

Securing SQL Server

Pro DNS and BIND 10

Reviewer: Michael Barwise Qualifications: BSc, CEng, CITP, MBCS Author: Darril Gibson Publisher: Sybex (Wiley Publishing Inc) Date of Publishing: 2011 ISBN(13): 9781118016848 Price: £26.99, $39.99 Rating:

Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP, GCFE Author: Denny Cherry Publisher: Syngress Date of Publishing: March 2011 ISBN(13): 9781597496254 Price: £30.99, $49.95 Rating:

Reviewer: Roy Hills Qualifications: CHECK Team Leader, CREST Assessor Author: Ron Aitchison Publisher: Apress Date of Publishing: 2011 ISBN(13): 9781430230489 Price: £39.49, $49.99 Rating:

This is not a systems security handbook for the general reader, but one of many preparation guides for the Microsoft Technology Associate (MTA) exam in Security Fundamentals (exam reference 98-367). This exam is one of four Microsoft qualifications in fundamentals designed to equip new entrants to the IT infrastructure profession with a basic knowledge of terminology, concepts and the configuration of Microsoft products. In common with most vendor qualifications, this syllabus seems rather sketchy on underlying principles, concentrating primarily on the security facilities offered by the Windows product line. Given the purpose of this book, the content is inevitably constrained by the examination syllabus, and is therefore somewhat superficial. Nevertheless, rather than slavishly progressing module-by-module through the exam, the author has rendered a coherent and intelligent account of technical security basics in a form that is logical and easy to read, providing a cross-reference to the exam structure in an appendix. A highly recommended study guide for the MTA Security Fundamentals examination. Its few failings are primarily those of the exam syllabus rather than the fault of the author. The text is clear, logical and memorable, and will prove invaluable to those preparing for exam 98-367.

Whilst most vendors provide at least some guidance on the security configurations of their products, I also like to refer to independent reference material. This can take the form of publications from organizations, such as NSA, NIST, DoD/STIGs, CIS or OWASP, or indeed a published book. From the point of view of decent information, however, SQL Server has proved to be a bit of problem in recent years. Microsoft does publish some good material, but it is hardly independent. In recent times the only independent material I could find was published by Center for Internet Security (CIS), but this referred only to SQL Server 2005 (Security Configuration Benchmark for Microsoft SQL Server 2005). Textbooks on SQL Server normally have a section on security, but frequently the subject is covered in 20, or if you are lucky, 30 pages. Therefore, I welcomed a book on the subject that covers SQL 2000 all the way through to SQL Server 2008 R2, as well as coverage of the latest SQL Azure product. Securing SQL Server is a must read for any architect or database administrator wanting to secure their SQL Servers. Given the sensitive data that SQL Servers could hold, it is vital that one understands the potential attacks and how to protect yourself from them. This is the book to help you understand.

Pro DNS and BIND 10 is a big book: it’s 692 pages long, 23.5cm x 19cm in size, and set in a small font size with minimal leading. It’s divided into three parts, which cover everything from the principles of DNS, through installation and security, to programming APIs and the structure of DNS packets. Given the breadth of material outlined in the table of contents and the wide intended audience of “beginner to advanced”, the size is understandable. The first few chapters introduce technical DNS terms in ways that could be confusing for a beginner. For example, chapter one, “An Introduction to DNS”, starts by talking about “the physical address of a name server”. The use of the words “physical address” for a network-layer address is non-standard and could confuse. There’s more scope for confusion in chapter two, which contains an example zone file with two NS records. Apart from a few minor errors, the content from chapter three onwards is generally good and accurate. It’s a good book for someone who knows the basics of DNS and wants help with the details of configuring and securing a BIND 9 system. But there are better DNS books for the beginner, and it will not satisfy anyone looking for details of the forthcoming BIND 10.

InfoSec 1_34-35_Best Systems Admin Book.indd 35

15/03/2012 08:25

best

NAGEMENT BOOK IDENTITY MANAGEMENT BOOK IDENTITY MANAG

Securing the Cloud Cloud Computer Security Techniques and Tactics Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP, ISO27001 Lead Auditor, GCFE Author(s): Vic (J.R.) Winkler Publisher: Syngress Date of Publishing: May 2011 ISBN(13): 978-1-59749-592-9 Price: £36.99, $59.95 Rating:

FIRST

In 2010 and 2011, a large number of books were published on both cloud computing and virtualization. So, it was with interest that I started reading this book, if only to establish whether it set the bar high enough on cloud security; more on the answer to that question later. At 290 pages, Securing the Cloud provides the reader with a comprehensive overview of cloud security. It consists of 10 chapters, progressing from an introductory chapter, through the architectures and technologies involved in cloud computing, until finally looking at the selection, implementation and operation of a cloud. The book is designed for those professionals or organisations that require a good, high-level framework in which to systemically design security from “cradle to grave”. Chapter 1 introduces the reader to the overall concept of cloud computing in the context of information security. It provides a historical view of the subject matter and describes the evolution from the mainframe computer to the present day. It also begins the journey of explaining the role of virtualisation in cloud computing. Chapter 2 then goes on to describe a number of different cloud computer architectures and service models before Chapter 3 delves into the examination of the risks of using a cloud, along with regulation, legal

The final chapter discusses running a cloud-based system, looking specifically at topics such as patching, security monitoring, and incident response considerations and, in particular, privacy and confidentiality concerns. Chapters 5, 6 and 7 drill into how you should go about securing a cloud based network solution, for each of the different cloud architectures discussed in the previous chapters. This chapter looks at the security controls one needs to consider during this process, including those you would implement in a “normal” architecture (but with a “cloud” spin). For instance, what does it mean to perform security monitoring in a cloud-based architecture? Chapter 7 provides best-practice guidance on how to implement strategies for effectively managing risk in the cloud.

Chapter 8, entitled, ‘Selecting an External Cloud Provider,’ is an extremely useful chapter and readers will find it invaluable. The chapter goes through all of the criteria you should use when selecting a cloud provider. Another very useful chapter is Chapter 9, which provides an information security framework for assessing the security of a cloud. In particular, it provides seventeen individual checklists for evaluating different aspects of cloud security. These checklists could be used either during the procurement cycle, or, indeed, when you are considering an ISO 27001 style of audit of an existing cloud solution. The final chapter discusses running a cloud-based system, looking specifically at topics such as patching, security monitoring, and incident response. Whilst this is an excellent book, it is, however, not without its faults, which is why I’ve only given it a rating of 4 stars. The most perplexing aspects are the discussions (endnotes) at the end of each chapter and the use of “ibid”. For many readers, this will be confusing, especially when the endnotes at the end of Chapter 2 have three references to the same NIST publication. Securing the Cloud is the most useful and informative of all the books published to date on cloud security. If you are going to procure a cloud solution, or are already operating a cloud system, I would strongly recommend that you buy a copy.

InfoSec 1_36-37_Best Identity Management Book.indd 36

16/03/2012 09:15

MANAGEMENT BOOK IDENTITY MANAGEMENT BOOK IDENTITY MAN Oil Industry Open to Cyberattacks

Information Security Management Principles

Privacy and Big Data

Reviewer: John Hughes Qualifications: CLAS, ITPC, M Inst ISP Author(s): Andy Taylor et al Publisher: British Computer Society (BCS) Date of Publishing: October 2008 ISBN(13): 9781902505909 Price: £24.95, $44.95 Rating:

Reviewer: Michael Barwise Qualifications: BSc, CEng, CITP, MBCS Author(s): Terence Craig and Mary E. Ludloff Publisher: O’Reilly Date of Publishing: 2011 ISBN(13): 9781449305000 Price: £15.50, $19.99 Rating:

The Information Systems Examinations Board (ISEB), an examination awarding body and part of BCS, has been issuing an Information Security Management Principles (CISMP) certificate for years. This is the book that accompanies the syllabus issued by the ISEB: the syllabus that this version of the book covers is not the latest (version 7.2 at the time of writing this review), however this does not in any way devalue the book and I would highly recommend any student considering the CISMP examination to purchase a copy. This book is 193 pages long and is structured to conform with the version of the syllabus when it was published. Therefore, chapter one covers section one of the syllabus (i.e. Information Security Management Principles), and each chapter is structured to describe each sub-section of the syllabus. I particularly like that for each subsection of the syllabus the book defines the learning outcomes and provides one or more activities for the student to undertake to assist in the learning process. Although the book is targeted at students taking the CISMP examination, I would still recommend this book for any IT professional wishing to understand more about information security. The language used in the book is very accessible, so I would also recommend it to any senior manager wishing to understand the basics.

One of the book’s strong points is pretty much equal attention afforded to privacy in the US and Europe, the latter usually finishing up as a country cousin in books published in the United States. Even more unusually, it goes further by touching, albeit very briefly, on privacy in other economic regions as well. However, its readability does leave a bit to be desired. Although it is divided into distinct sections – an overview, separate sections on privacy rights, regulators and data processors, and a final summing up – there is considerable repetition and overlap, so the text seems in places rather repetitive. The text is also liberally scattered with URLs. Except that the transient nature of web documents could limit the book’s shelf life, I would have no objection to this if many of the URLs were not three to five text lines in length. As the majority of these massive URLs consist largely of complex path specifiers and cryptic hash strings, they’re essentially unusable by the general reader of a printed edition, and they break the thread of the text, making reading difficult. A lightweight introduction to online privacy, this book is best suited to the non-specialist, casual reader, although for the price of the print edition, more exhaustive texts may be available. The e-book would be more convenient than the print edition due to the liberal use of URLs throughout the text.

By Mich Kabay Continued from page 13… In December 2011, a speaker from Shell Oil at “the World Petroleum Conference in Doha [said] that the company had suffered an increased number of attacks motivated by both commercial and criminal intent.” The manager warned, ”If anybody gets into the area where you can control opening and closing of valves, or release valves, you can imagine what happens. It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage – huge, huge damage.” The FinancialMirror, reporting on the same presentation, wrote that “Hackers are bombarding the world’s computer controlled energy sector, conducting industrial espionage and threatening potential global havoc through oil supply disruption. Oil company executives warned that attacks were becoming more frequent and more carefully planned.” They added (quoting an interview): “Cyber crime is a huge issue. It’s not restricted to one company or another it’s really broad and it is ongoing,” said Dennis Painchaud, director of International Government Relations at Canada’s Nexen Inc. “It is a very significant risk to our business. It’s something that we have to stay on top of every day. It is a risk that is only going to grow and is probably one of the preeminent risks that we face today and will continue to face for some time.” Other speakers interviewed in the FinancialMirror story explained that cyberattacks could be used for financial gain: reducing the flow of oil could raise prices – and threats and incidents involving oil-industry installations could allow criminals and state-sponsored cyberattackers to profit using the futures market. Readers interested in learning more about SCADA vulnerability testing will find a valuable resource by Joel Langill online at SCADAhacker.com, which includes dozens of professional papers by the penetration expert.

InfoSec 1_36-37_Best Identity Management Book.indd 37

15/03/2012 08:25

authors

ENT RECRUITMENT RECRUITMENT RECRUITMENT RECRUITMENT RECRUI

get writing InfoSec Reviews is currently seeking information security professionals to get involved in writing content for the website. We are interested in obtaining reviews on the following: • • • •

Technical security books Risk management books True crime (cybercrime) books Novels with an information security related theme

As well as reviews of the following information security related products or services: • • • • • •

Magazines Websites Podcasts Tradeshows Software products Hardware products

If you are interested in writing for us, please get in touch via the website (www.infosecreviews.com), or email the editorial team directly at editorial@infosecreviews.com

Training vendors and courses In 2012 we are particularly looking to expand our capability for reviewing training courses and training vendors. If you are planning to go on a course in 2012, or are putting together your training plan for the coming year, and you’d like some advice, get in touch and we’ll try to help. If you’ve been on a course and had a good or bad experience, we’d love to hear from you. As an aside, some training vendors (you know who you are – thanks!) have also extended us the courtesy of free places on their courses for review purposes. These offers will be extended to our most frequently published reviewers during the coming months, as there is just too much work for the core team.

Calling all Bloggers You may or may not be familiar with our Perception blog (weekly column by Mich Kabay – www.infosecreviews.com/perception) as well as our more general blog at www.infosecreviews.com/ blog, where various writers discuss aspects of the security world and what’s going on in the profession. However, we don’t have enough writers that have signed up and are willing to provide a semi-regular posting! We’d like to hear from anyone who’d be interested in blogging for us, on a platform that reaches out to over 10,000 industry professionals per month, where you can express your opinions, preferences, or simply just rant about the state of the world. As long as it stays close to topic, we’re happy to publish you. If you are interested, email the editors at editorial@infosecreviews.com

InfoSec 1_38_InfoSec Recruitment.indd 38

15/03/2012 08:25

InfoSec 1_IBC_Ad.indd 39

10/03/2012 10:17

InfoSec 1_OBC_Ad.indd 40

10/03/2012 10:17