Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Minoli-Cordovana's Authoritative Computer and Network

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Minoli-Cordovana's Authoritative Computer and Network Security Dictionary", Daniel Minoli/James Cordovana
Date: Mon, 12 Feb 2007 11:35:51 -0800 
BKMCACNS.RVW   20070102

"Minoli-Cordovana's Authoritative Computer and Network Security
Dictionary", Daniel Minoli/James Cordovana, 2006, 0-471-78263-7
%A   Daniel Minoli
%A   James Cordovana
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-471-78263-7
%I   John Wiley & Sons, Inc.
%O   416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471782637/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471782637/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471782637/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   443 p.
%T   "Minoli-Cordovana's Authoritative Computer and Network Security
      Dictionary"

I find that, again, I need to declare the possibility of bias or
conflict in this review.  Not only have I published a security
dictionary of my own, but my work was also intended, as the authors
announce in their preface, to be not simply a list of terms, but a set
of practical definitions, and even a commentary on the security field.

While my dictionary addresses only security, Minoli and Cordovana have
included computer and network in the title (and later mention that
they are including financial terms).  However, the preface also makes
clear that security is the major thrust of the glossary: the first
two-thirds of the introduction basically preaches security, and the
remaining material even mentions a superior telecommunications
dictionary.

Therefore, it comes as a bit of a surprise that the first term that
has any direct connection to security comes on page four, and even
then is only the expansion of an acronym.  We are on page eight before
we find the first actual definition that has even a nominal connection
to security.  A random sampling of terms seems to indicate that less
than 20% of the entries in the work relate to security.  (That
relation holds in terms of number of entries.  The actual material
appertaining to security is proportionately less, since non-security
entries tend to be longer than those defining security phrases.)  A
surprising number of terms deal with cellular telephone technologies
and standards, and the promised financial jargon is there in
abundance.  It is, in fact, not always clear (even from the
definition) from which field a particular term comes.  (Generally the
financial jargon is so identified, but I chased down a particular
thread through a number of entries, which task was not aided by the
lack of cross-references between terms, before I finally realized that
it was not an unusual security phrase, but a minor part of a specific
cellular telephone service.)

In regard to the security terms themselves, the value is questionable. 
Like Phoha's "Internet Security Dictionary" (cf. BKINSCDC.RVW) the
authors have included twelve variations on the access theme, and
"access control" is only defined in terms of the old confidentiality
model.  There are 28 variants on authentication, 13 on
vulnerabilities, and 20 on business with only three related to
security.  Five "attacks" are listed, none major.  There are seven
entries starting with "trojan": one is a definition, five are possible
types of trojans, and the last entry lists the previously defined
types.  Eight phrases start with "Computing:" and include items such
as "Computing: Molecular Computers."  Ten entries are components of
the United States' Communications Assistance for Law Enforcement Act
[CALEA], which proliferation of American legal entries also points out
the US-centric nature of the work.  There are entries for both "Domain
Name System" and "Domain Names System."  (There is, so help me, a
definition for "one-time password" and another for "One-Time
Password.")  There are two entries for grid computing, and they
contradict each other.

The "authoritative" part of the title seems to be based on the fact
that the references section lists over 500 articles, Web pages, and
books.  (It's hard to judge what they are, since the list is not in
author, title, publisher, or even date order.)  However, the entries
sometimes merely conflate material that seems to come from diverse
sources, without any attempt at analysis or explanation.  (The
definition of "stateful inspection," for example, in one phrase is
talking about session state, and before the sentence is over has
switched to content examination.)

Some of the terms are idiosyncratic or seldom used, and there are
frequently multiple terms for the same concept.  Again, it is not easy
to assess the amount of duplication that goes on, since there are
almost no cross-references between terms (and in those few instances
some of the alternate terms suggested don't actually exist in the
book).  Even where a specfic technology may have major divisions
related terms aren't noted.  (The "firewall" entry, for example,
doesn't even inventory the four major catgories, and "intrusion
detection system" lists neither the engine types nor the sensor
placement architectures.)  However, by looking up terms known to be
related the reader can readily find not only multiple terms for
similar concepts, but frequently duplicated wording as well (see
"ankle-biter" and "script-kiddie").

One of the attacks catalogued, "attack on hash-and-sign signature
schemes" is much more widely known as the birthday attack, but there
is no corresponding entry under that term.  (There is a definition for
birthday paradox.)  There is an entry for CUT (Coordinated Universal
Time) but not the more widely used UCT.  Some of the phrases used for
entries mean that people may not find what they are looking for: there
is "computer bug" but not "bug" (and no mention of implementation
versus design) as well as "computer evidence" and "computer forensics"
but not "evidence" or "forensics" (or "digital forensics"). 
Cryptanalytic attacks are defined under their own entries, but most
are also listed (and with more detail) under "Cryptanalysis, " [sic]
entries (and, again, there are no cross-references between them).

There is also an entry for "fork bomb" which is said to be equivalent
to "logic bomb" but is defined more as a processor exhaustion virus or
worm.  "Kleptography" makes reference to "subliminal" and the
definition of "subliminal channel" gives an example of a covert timing
channel and then states that this is *not* what a subliminal channel
is.  (Subliminal never is defined except to state that it is an
undetectable covert channel.)

Canonicalization defines only one of the many meanings (and that
possibly the least significant).  Only one aspect of "race condition"
is given.  "Digital money" (rather than the more commonly used digital
cash) has no mention of the requirements or technical challenges. 
Feistel cipher never states the requirement for multiple rounds of
simple functions or the iterated subdivision of blocks.  The
definition of low-level format does not mention that it operates at
the physical, rather than logical, stratum (and it states,
incorrectly, that a low-level format destroys all data on the disk).

A number of entries are for specific (and often obscure) products and
little used processes.  There are five entries related to
cryptoviruses, occupying three pages, whereas the definitions for worm
and virus combined don't exceed three column inches.  (Within that
brief space are at least three factual errors, and there are many
important factors that are missing.  "Vaccine," which term has not
been seriously used in years and then only for a specific type of
change detection, is said only to be a program to detect and disable
viruses.)

There are a great number of extremely silly typographical errors, such
as rile instead of role, pc rather than PC, ant-keylogger versus anti-
keylogger, and competing for computing.

There are other, and better, communications dictionaries.  There are
other, though older, computer dictionaries.  There are other security
dictionaries, and, even excluding my own, I could not say that this
glossary has any advantage over them.

copyright Robert M. Slade, 2006   BKMCACNS.RVW   20070102


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Politicians are the same all over the world, we build bridges
where there are no rivers.                       - Nikita Khrushchev
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Minoli-Cordovana's Authoritative Computer and Network Security Dictionary", Daniel Minoli/James Cordovana, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  Re: [CISSP-D] CISSP Certifications, Richard Thomas
Next by Date:  [CISSP-D] PING for CISSPs in Portugal, Mervin Pearce
Previous by Thread:  Re: [CISSP-D] CISSP Certifications, Richard Thomas
Next by Thread:  [CISSP-D] PING for CISSPs in Portugal, Mervin Pearce
Indexes:  [Date] [Thread] [Top] [All Lists]