Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "The Security Risk Assessment Handbook", Douglas J. La

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "The Security Risk Assessment Handbook", Douglas J. Landoll
Date: Wed, 15 Nov 2006 10:49:42 -0800 
BKSCRAHB.RVW   20060919

"The Security Risk Assessment Handbook", Douglas J. Landoll, 2006,
0-8493-2998-1
%A   Douglas J. Landoll
%C   920 Mercer Street, Windsor, ON   N9A 7C2
%D   2006
%G   0-8493-2998-1
%I   Auerbach Publications
%O   +1-800-950-1216 auerbach@wgl.com orders@crcpress.com
%O  http://www.amazon.com/exec/obidos/ASIN/0849329981/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0849329981/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0849329981/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   473 p.
%T   "The Security Risk Assessment Handbook"

Chapter one is an introduction.  Landoll's text is initially rather
preachy and biased.  The first couple of sections appear to take the
position that industry has failed in its responsibility to secure
information systems, and therefore (the United States federal)
government has had to take charge.  He then lists (although does not
describe in any detail) various security frameworks and guidelines,
and argues that, simply on the basis of a lack of congruence between
these documents, "best practices" are a myth.  His conclusion, that
risk-based security planning is better, seems oddly gleeful in the
context of such an otherwise dour piece of writing.

Unfortunately, the author does not seem to do any better with risk-
based security planning, right off the top.  We are told (on page
four) that "the establishment of an information security program is
not the topic of this book.  The topic of this book is how to perform
and review an information security program," which statement(s) must
surely rank highly in terms of self-contradiction and confusion.

Were the reader to quit after this inauspicious, muddled, and verbose
beginning, however, it would be to miss a work of some value.  Within
pages, Landoll clarifies the rationale for, and types of, risk
assessment, as well as explaining the purpose of this volume in light
of other existing assessment tools and documents.  (To his credit,
where other authors tend to denigrate alternative references, Landoll
notes their respective strengths, and then states the extension that
his book provides.)

It is frustrating to attempt a single assessment of the book.  The
text has value, but also annoyances.  Chapter two provides a useful
guide to the basic components of the risk assessment process (which
forms the structure for much of the rest of the book).  At the same
time, where Landoll has been using the business-oriented breakdown of
control types (into administrative, technical, and physical), when
discussing safeguards he suddenly switches to the categories of
preventive, detective, corrective, et cetera, that are more familiar
to those in the government and military.  (Interestingly, for someone
from a strongly governmental background, Landoll does not fill out the
list with recovery, compensating, deterrent, and directive.)  In
addition, when reviewing the concept of residual risk, two new terms
of "static" and "dynamic" risk are introduced.  Although the terms are
poorly defined, "static" seems simply to refer to residual risk, while
"dynamic" appears to mean nothing more than risk itself.  Therefore,
these two new entries provide no distinct value to the discourse, and
only serve to confuse the issues.

Again, chapter three covers the vital topic of the definition of
objectives and scope of a risk assessment project.  When discussing
the "customer" for a review, "Risk Assessment Method" and "Objective
Review" seem to be presented as potential clients.  While the question
of quality of work would certainly appear to be a legitimate concern
in dealing with project extent, Landoll includes a great deal of
material relevant only to the final report, such as grammatical
correctness and visually pleasing presentation.  On the other hand,
there is a good deal of very practical content addressing issues of
realistic scope and reasonable budgeting.  The preparation phase is
covered in chapter four, dealing both with practical issues such as
letters of introduction, more esoteric concerns of system and asset
criticality, and also reviewing a number of methodologies and
approaches to risk assessment (although primarily at a conceptual
level).

Chapter five starts a string of chapters on various types of data
collection.  It leads off with general discussions on the topic,
examining questions of sampling and related issues.  (Landoll is not
always careful about explaining terms before starting to use them:
neither the index nor any part of the text notes that the RIIOT
method, which is used extensively in the chapter, is merely an acronym
for the phases of review, interview, inspect, observe, and test.)  The
gathering of data on administrative safeguards, in chapter six, has
good checklists of items to assess, and uses the RIIOT format to
structure the areas and phases of the elements to consider.  (There is
a rather odd reluctance to discuss policy, and an even stranger
overemphasis on two-man controls.)  Moving into technical
countermeasures, chapter seven starts off with a section on attacks
and controls.  There are very odd errors in the text: the distinction
between SPAM (the Hormel food product) and spam (bulk unsolicited
commercial or fraudulent messages) may be subtle but every security
specialist should know it and yet Landoll uses SPAM throughout.  The
section on antivirus protection is weak, cross-references are spotty,
and Landoll uses an old (and generally abandoned) type of firewall
(session-level, which is an amalgamation of stateful and circuit-level
proxy).  Intriguingly, authentication is not addressed with technical
controls, but (rather weakly) with physical protection, in chapter
eight.  Most of the discussion of physical security outlines
particular safeguards, and there is little deliberation on risk
assessment or the factors that can influence it.  (For example,
various power supply alternatives are discussed, including the rather
esoteric flywheel generator, but the idea of requesting information
from the utility on past power outages doesn't seem to have occurred
to the author.)

Chapter nine does turn to security risk analysis, briefly, but with
some helpful pointers for the evaluation process.  Risk mitigation, in
chapter ten, looks rather tersely at choice of controls, and does an
oddly complicated review of cost/benefit analysis.  Styles for
different types of reports resulting from risk assessment are outlined
in chapter eleven.  Chapter twelve presents a fairly standard look at
project management (with extra emphasis on reporting).  Chapter
thirteen lists, but does not adequately describe, various risk
assessment methodologies.

Despite the weaknesses, oddities, and gaps in the book, it does
provide a decent overall guide, and some very useful practical
suggestions.  It is not quite complete in all areas, and therefore
likely unsuitable as the sole source of advice on the risk assessment
process for the novice, although the newcomer would not go far wrong
in following the counsel of this work.  The experienced security or
risk assessment professional will still find valuable recommendations
and advice.  For anyone in the security or risk analysis field, the
book is well worth considering.

copyright Robert M. Slade, 2006   BKSCRAHB.RVW   20060919


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Bodily exercise, when compulsory, does no harm to the body; but
knowledge which is acquired under compulsion obtains no hold on
the mind.                                      - Plato, The Republic
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "The Security Risk Assessment Handbook", Douglas J. Landoll, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] Questions and Answers (urgent), Faiq Aziz
Next by Date:  [CISSP-D] Friends ---- need help, nilesh thakore
Previous by Thread:  [CISSP-D] Questions and Answers (urgent), Faiq Aziz
Next by Thread:  [CISSP-D] Friends ---- need help, nilesh thakore
Indexes:  [Date] [Thread] [Top] [All Lists]