LBB2E: Joel Dubin updates his pocket guide

Joel Dubin has just sent me the update of his useful guide to computer security, The Little Black Book of Computer Security. In October 2005, I published a review of the first edition and I refer readers to that review for a sense of the first edition's qualities. I liked the book so much I ordered it for the assigned readings in one of the seminars in the MSIA program.

The book has grown from 150 pages to 207 pages (38%) but its price has changed from $19.95 to $25.95 (30%). Seems fair. It still fits in a (large) pocket. More important, the content has significant changes.

Dubin begins with an insightful commentary in his introduction (quoting exactly):

"IT security has broadened dramatically. Its issues have expanded from the technology arena into the business arena. In other words, IT security no longer consists solely of the IT department working to lock down networks. It has moved into the boardroom as business leaders grapple with the business impacts of potential data breaches. Those leaders are now concerned with complying with legal regulations, protecting the privacy and identity of their customers, and keeping their brands intact if data breaches do occur. Consequently, IT security has developed into the more wide-ranging field of information security.

"Furthermore, as the network perimeter has dissolved, the old-fashioned firewall has evolved. Hackers have become more sophisticated, bypassing firewalls and other network controls by inserting malicious code into Web sites. Today, even innocent sites can serve as repositories of dangerous malware that can defeat the toughest network defenses. In other words, the threat has shifted from the network to the application. The new paradigm therefore entails not only safeguarding hardware and networks but also protecting data wherever it happens to be – a Web site, a database, or anywhere in between."

There are three new chapters. Quoting from correspondence with Dubin:
* Chapter 19 on compliance and working with auditors, since this has become such a big part of many IT security professionals' lives.
* Chapter 20 on security awareness training, since this has become part of compliance with tips on the bare bones minimum of what should go into an security training program.
* Chapter 21 is a simple explanation of encryption, which IT security pros can use to distill this complex topic for the business folks.

Other improvements in the guide include updated and expanded recommendations on:
* Endpoint security and network access control and mobile device security
* Application security, including vulnerability and pen testing, with an emphasis on the new security threats from the Web and Web 2.0 technologies
* Wireless security
* Privacy and identity theft and regulations related to privacy
* How to use full-disk encryption

Finally, the author has updated the appendices in the back with fresh links for helpful security Web sites, bulletins and tools.

So is there anything I don’t like in the book?

It’s not a question of liking or disliking (well, except for using “data” as a singular word). I disagree with a few of the recommendations; for example, on page 54 Dubin writes, “Lock out an account after three failed logon attempts” and then explains that users should have to call the IT group to reset their password. “This practice offers the easiest defense against a brute force attack.” Well, no: it offers an attacker a trivial way of executing a denial-of-service attack on every user account for which (s)he knows the user ID. It also raises the cost of such an attack by orders of magnitude because of the amount of time wasted by both users and the help desk.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.