• United States

Book details security analysis

Aug 05, 20043 mins

* Book review: Performing Security Analyses of Information Systems

One of the textbooks I chose for Seminar 5 of Norwich University’s graduate program in information assurance is “Performing Security Analyses of Information Systems” by Charles L. Smith Sr.

Seminar 5 of our program is entitled “Detection & Response”, and covers areas such as vulnerability assessment and intrusion-detection systems; monitoring and control systems; applications controls;, honeypots; computer emergency quick-response teams; data backup and recovery; disaster recovery; and forensics.

In addition to these interesting topics, I assign a long-term reading project for the 11 weeks of the seminar: Smith’s excellent manual. The students read one or two chapters of this 500-page text every week and apply what they learn to their weekly field exercises (our students have to interview their colleagues and analyze aspects of security in their own place of employment throughout their program).

Smith’s book begins with a fine review of basic principles of information security and of the information-processing infrastructure in Chapter 1.

Chapter 2, “An Overview of Security Analysis,” is a short review of threats, vulnerabilities, countermeasures, working with users and related topics.

Chapter 3 looks at network security policies with special attention to U.S. government requirements.

Chapter 4 is “A Comprehensive Security Analysis Process” which includes the following elements:

* Formulate a security policy

* Formulate a security rules base

* Formulate the security requirements

* Perform a risk assessment

* Develop a security architecture

* Develop an overall architecture

* Develop a migration plan

* Implement the migration plan steps

* Perform a security test and evaluation

Chapter 5, “Security Architectures,” looks at security considerations for the Web, voice and data networks, and client/server systems.

Chapter 6, “Risk Assessment,” is the longest part of the book at almost 100 pages. The chapter is packed with useful information presented in tables, equations, figures and clearly written text.

Chapter 7 looks at countermeasures and reviews communications protocols, distributed denial-of-service attacks, and methods for selecting among countermeasures.

Chapter 8, “Migration Process,” focuses on how to implement change in production systems without causing more disruption than we are trying to prevent.

Chapter 9, “Security Test and Evaluation,” briefly examines how to manage testing in four phases:

* Test planning

* Test operations and data collection

* Test analysis and evaluation

* Reporting of test results

Chapter 10 concludes the text with a summary of recommendations. It is followed by a sample security policy and other useful information. The author provides extensive references for further reading at the end of every chapter.

My only complaints about the book are relatively trivial:

* I wish the author had not used justified text in tables (there are often big gaps between words in the short lines);

* The index is a bit skimpy for such a densely packed book;

* I would have liked to see at least a brief review of the six fundamental attributes of information that we protect as defined in the Parkerian Hexad (confidentiality, control or possession, integrity, authenticity, availability and utility).

I hope that readers will take advantage of this extraordinary value: at $6 for an electronic version and $20 for a paper version you can’t afford to pass it up: