Internet Security for Business
by Terry Bernstein, Anish B. Bhimani, Eugene Schultz and Carol A.
Siegel
Wiley Computer Publishing
452 pages; $34.95
ISBN# 0-471-13752-9
Security is definitely the subject du jour for Internet books these days. With a plethora of Internet security books on the market, you would naturally expect there to be some good ones and some bad ones. I am pleased to report that Internet Security for Business is one of the good ones.
The book is aptly named. It is aimed at businesses--specifically at managers of computer networks that are connected to the Internet. The authors begin by defining the security threats, then walk through the entire process of creating a policy and implementing it.
A look at the structure of the book reveals that it was designed to be a reference kept at hand. The four-page table of contents can get you to the general section of the book you want, and you can fine-tune the search using an index that consists of 11 pages of small print.
Like any other well-designed reference book, Internet Security for Business has a good glossary. Its 17 comprehensive pages of terms and definitions contain almost every term I looked up. The only missing pieces are terms from the hacker world, like cracker, phreaker, H/P/A/V and cypherpunk. It was, however, refreshing to see a book that defines the term hacker correctly (as a computer technophile), rather than making it synonymous with "computer vandal."
The "Where to Find More Information" appendix is likewise exemplary. It includes 11 pages of Web sites, software, Usenet newsgroups, Internet mailing lists, FAQs (Frequently Asked Questions documents) and RFCs (Internet Request for Comment documents).
I was disappointed, however, to see only two books listed in this appendix. The body of the book references others that are pertinent, but I would have liked to see listings of other computer security books and books on related subjects like PGP (Pretty Good Privacy) and network administration.
Internet Security for Business covers all the high-level details that you would want, such as considerations for security policies, political issues for policy implementation and descriptions of available tools such as firewalls and filters. Interspersed throughout this discussion are details, tips and case studies that take you right into the meat of the issue, such as Unix systems that ship with a default "+" setting in the "trust" file, which is a major security hole.
The book also addresses a subject near and dear to the hearts of many UniForum members and UniForum's IT Solutions readers: Why do so many of the Internet's security holes appear to be in Unix machines? The eloquently stated answer is that "holes tend to be found in systems in which it is beneficial to find a hole--in other words, if there weren't so many Unix machines on the Internet, there may not be as many known holes in the Unix system." The authors then remind us of the notorious Willie Sutton's famous quote when asked why he robbed banks: "Because that's where the money is."
The book continues on to point out that all systems are potential security risks, not just the Unix boxes. Holes have been found in many different operating systems, and we have by no means found all of the holes yet. While the authors don't explore specific implementational details of security on Microsoft Windows NT, IBM OS/2 and the Apple Macintosh operating system, the vast majority of the subject matter in the book is applicable to any system connected to the Internet.
Just as figure skating has its compulsory routines, certain topics are absolutely necessary in an Internet security book, and the authors address them. The list includes firewalls, picking passwords, encryption (especially e-mail encryption), spoofing, system configuration and security policies.
The book also contains a description of physical security, including such topics as server co-location (putting your Internet machines in someone else's facility). Physical security is often overlooked, due to the mistaken belief that security threats always come from the outside; Internet Security for Business gives this subject the attention it deserves.
For example, its excellent description of packet filtering goes deeper than most of the overview guides to Internet security on the market today. It covers packet wrappers, protocol translation, port assignments and a number of tricks to bypass shoddy packet filtering. The authors also discuss how much is too much, explaining how to find the trade-off point between leaving your system wide open and closing it up so tight that your employees can't get anything done.
No book about security is complete without a discussion of the people who would subvert that security. In this case, that means crackers, disgruntled employees, competitors and hackers having fun. The authors examine the motivations of the people who might attempt to break into your system and the tools that they use.
Particularly pertinent is the subject of "social engineering." This is the practice of tricking people into releasing information that compromises security. Crackers consider it the most powerful tool in their arsenal, and many security consultants admit that there is simply no way to prevent it. A skilled cracker can often get access to your system without ever touching a keyboard, simply by fooling employees into revealing their passwords or access codes.
Trojan Horses are discussed at some length, and there is even a case study of the infamous Crackerjack program. A Trojan Horse is a program that masquerades as something else. It might call itself a solitaire game when its real function is to vandalize your computer. Crackerjack was distributed as a tool for testing the passwords on a Unix system. It analyzes the password file and reports back the passwords it was able to crack. An early version of Crackerjack did a bit more, however. In addition to providing the system administrator with a list of "weak" passwords, it also forwarded the list to the program's author, who compiled a massive list of compromised user accounts.
Personally, I would have liked to have seen more on this subject. "Where to Find More Information" should have listed more of the hacker/cracker tools discussed in the body of the book, like Crackerjack and the infamous SATAN program, which receives only passing mention. Just as football teams carefully scout and research their competition, security managers must study those who would compromise their systems' security.
A discussion of H/P/A/V (hacking/ phreaking/anarchy/virus) tools, bulletin-board systems, Usenet newsgroups and Web sites would have done a great deal for this book. The authors can't cover everything in less than 500 pages, but this subject could have used more coverage.
I recommend this book for anyone who needs an understanding of Internet security from a business point of view. It has enough technical detail for even techies to get something out of it, yet nontechnical managers can skim over the heavy parts and gain a valuable understanding of the fundamentals of Internet security.
Gary Robson is founder and chief technology officer of Cheetah Systems, Inc., in Fremont, CA. He can be reached at grobson@caption.com.