A good little black book

The long view of security strategies for your network.

As Malcolm X once pointed out, Western society is so thoroughly permeated with racism that “black” is almost always a negative word. We speak of a “blacklist” and a “black mark”; most pinko-gray people (E.M. Forster’s preferred description of “white” folks) think that there’s nothing peculiar about “denigrating” or “blackening” someone’s reputation. Security books with “black” in the title have usually been focused on criminal hacking or virus writing.

I’ve had a decade-long argument with Mark Ludwig, for example, about his habit of publishing books that provide full details of virus code (e.g., _The Little Black Book of Computer Viruses_ and _The Giant Black Book of Computer Viruses_).

On the other hand, “black book” can also be used in a positive sense; one dictionary defines it as a book full of telephone numbers. By extension, “black book” has come to mean a concise technical manual that can be carried about easily - what was once called a “vade mecum” (Latin for “come with me”).

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

As Malcolm X once pointed out, Western society is so thoroughly permeated with racism that “black” is almost always a negative word. We speak of a “blacklist” and a “black mark”; most pinko-gray people (E.M. Forster’s preferred description of “white” folks) think that there’s nothing peculiar about “denigrating” or “blackening” someone’s reputation. Security books with “black” in the title have usually been focused on criminal hacking or virus writing.

I’ve had a decade-long argument with Mark Ludwig, for example, about his habit of publishing books that provide full details of virus code (e.g., _The Little Black Book of Computer Viruses_ and _The Giant Black Book of Computer Viruses_).

On the other hand, “black book” can also be used in a positive sense; one dictionary defines it as a book full of telephone numbers. By extension, “black book” has come to mean a concise technical manual that can be carried about easily - what was once called a “vade mecum” (Latin for “come with me”).

I recently received a review copy of a useful security “vade mecum” called _The Little Black Book of Computer Security_ by Joel Dubin, CISSP.

In 150 pages, Dubin presents a neat package of valuable reminders about significant security best practices and security assessment questions. The jacket bio says that the author “works as an independent computer-security consultant who is based out of Chicago. He has received multiple certifications from Sun Microsystems in the Java programming language as well as MBA and BA degrees from Northwestern University.”

This little book is ideal for widespread distribution to employees throughout an organization as part of a security-awareness campaign. The 7-inch-by-4.5-inch book is just the right size to slip into a pocket, purse, or computer bag. It has 19 chapters and five appendices with topics such as:

* Assessing Your System
* Writing Your Security Policy
* Taking Care of Physical Security
* Managing Human Resources
* Putting Software Access Controls in Place

And so on.

Flipping pretty much at random into the book to pick an example, I opened it at Chapter 9, “Protecting your system against viruses, Trojans, and worms.” Dubin starts with a concise definition of malware, provides a simple and clear table distinguishing among viruses, Trojans and worms, and summarizes the main sources of infection with a paragraph each.

Here’s an example - the section on Web sites:

“Malicious Web sites and their pop-ups can contain malware in two forms: tiny blank images and HTML tags. The former are invisible on the page but contain spyware, for example, in embedded HTML code. The latter can use your browser to download malicious code from the attacker’s Web site to your computer.”

Now, readers with extensive technical knowledge may want to quibble with the details, but for educational purposes, this is an adequate introduction to some of the problems of malicious code on Web sites.

The malware chapter continues with clear, numbered recommendations for defenses. The numbering makes it easy for technical support or security personnel to refer to specific recommendations or steps when discussing the procedures with users. There are also occasional notes flagged with a special symbol to mark extra information; e.g., Chapter 9 includes this tidbit:

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.