|Cybersecurity: A Self-Teaching Introduction|
I started to read this book because I realized my knowledge of security issues was a bit out of date. I can honestly say that I learned nothing practical by reading this book. It is essentially a manager's style summary of everything do with cybersecurity you can think of and it is full of lists of things and terms, but it never gets to tell you anything about how things work or what to do.
The back-jacket blurb mentions firewalls and VPNs - there is virtually no mention of either inside and if you do read what little there is you will still have no idea what a firewall or a VPN is, let alone how one works or how to use one.The discussion is vague and keeps the reader at a distance. For example, the discussion of different types of firewall give you no idea what is actually happening or what you are being protected against.
There isn't a single piece of information included that would help you detect or deal with a security problem. There isn't a single piece of practical advice or actionable recommendation. If there is I missed it among the lists.
Chapter 1 presents a philosophical discussion of what is a computer system and even the table showing how information systems developed is dubious - it claims that the www was extended by the Internet! I have no idea what this means.
The book carries on like this looking at different areas where security might be important. So in Chapter 2: Application security there are lists of types of application and it reminds you to make backups. This is the chapter in which firewalls and VPNs are introduced and I'm not sure in what sense they apply to "application security". There then follows a list of types of attack - DOS, viruses, logic bombs, trapdoors, etc - but this amounts to just a definition to make you aware of the terminology.
Chapter 3 is about developing secure information systems and it's a vague managment-level account of how you might do things. For example, you should engage in threat modelling - no help on how to do this is given. Another example is what you do in the "design review":
The chief design consideration to implement security are the following:
"Using random numbers" well yes I guess so, but "applying cryptography" - if only it was that easy. You might as well add "try harder not to get hacked".
Chapter 4 is a brief survey of standards and legal requirements. It ends with a look at open source license types, and I don't see what this has to do with the topic.
The final chapter is another vague examination of a huge topic - data analytics, cloud computing, IoT, smart grid, Scada and wireless sensor networks.
This could be the sort of book a manager might read to find out about cybersecurity. If this is the case I really fear for any teams they manage and I really don't think they would have any idea how to lock down a system after reading it. More to the point I don't think they would know how to tell someone else to make the system secure or check that it was. At best this is a book that might impart some of the jargon and terms used in cybersecurity so that you had a chance of sounding knowledgeable. Being more charitable, it might enable you to understand what a cybersecurity expert was proposing - but I really doubt it.
If you are a programmer, don't bother reading this book. If you see your manager reading it, be prepared for trouble.
|Last Updated ( Tuesday, 25 August 2020 )|