|The Basics of Information Security|
Author: Jason Andress
This book has the subtitle, "Understanding the fundamentals of InfoSec in theory and practice". Does it deliver?
Chapter 2 covers identification and authentication looking at multifactor authentication and the use of biometrics and hardware tokens. Authorization and access control are the next topics. Chapter 3 includes discussion of the most common access control models: discretionary, mandatory, role-based, attribute-based access controls, including the use of CAPTCHA, and multilevel access control where the Bell La Padula, Biba, Clark-Wilson and Brewer and Nash models are introduced. Measures of accountability and the use of auditing are discussed in Chapter 4.
Chapter 6: Operations Security again opens with history - this time looking at the ideas of Sun Tzu, the Chinese military general who lived in the sixth century BC and whose book, The Art of War is "considered to be a bible" for operations security, including information security. Coming forward in time the ideas of George Washington are mentioned before arriving at the Vietnam War where the term operations security and its acronym OPSEC was coined.
The chapter considers five major steps: identification of critical information; analysis of threats; analysis of vulnerabilities; assessment of risks; application of countermeasures. The chapter also includes the three Laws of OPSEC as formulated by Kurt Haas of the DOE. The first two are stated as questions:
The third is
The chapter concludes with a look at operations security in our personal lives.
Operating system hardening is discussed in the next chapter with six main ways suggested:
The chapter also touches on protecting against malware, software firewalls and host intrusion detection. It concludes with a look at some appropriate tools; port scanners such as Nmap, vulnerability tools such as Nessus and exploit frameworks such as Metasploit.
Chapter 10 on applications opens with an account of a specific breach of security. This slight deviation from the format serves to motivate the look at vulnerabilities in the software development process including buffer overflows, race conditions, input validation attacks, authentication attacks and cryptographic attacks. Next comes Web security - both client-side and server-side and then database security - protocol issues; unauthenticated access; arbitrary code execution and privilege escalation. Again there's discussion of tools and as well as sniffers it covers fuzzing tools and Web application analysis tools such as Burp Suite. It is the inclusion of such tools that gives these final three chapters greater "practicality" than previous ones.
Overall, this book follows a logical progression and makes good use of heading and subheadings so that the material is easy to follow; diagrams are included where helpful. Boxouts are also used to good effect - you'll find Alerts for points you need to pay attention to and More Advanced for ones you can skip. The boxouts used towards the end of each chapter for "Real World" topics allow the author to break out of textbook style and relate the material to a wider context. The chapters then conclude with a Summary followed by Exercises - a list of questions that serve as a check that you have understood the main points covered. No answers are provided so if you are stumped use the index or re-read before moving on.
This book is aimed at beginners and is equally suitable as a course text or for self-study. The developer should, of course, have a working knowledge of the topics it covers and this is a good place to start if you need an overview of the basics.
|Last Updated ( Saturday, 01 October 2011 )|