Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] REVIEW: "Security Assessment", Greg Miles et al

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] REVIEW: "Security Assessment", Greg Miles et al
Date: Fri, 13 Aug 2004 12:05:28 -0500 (CDT) 
Fowarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade@sprint.ca>

BKSACSNI.RVW   20040721

"Security Assessment", Greg Miles et al, 2004, 1-932266-96-8,
U$69.95/C$89.95
%A   Greg Miles gmiles@securityhorizon.com
%A   Russ Rogers rrogers@securityhorizon.com
%A   Ed Fuller
%A   Matthew Paul Hoagberg
%A   Ted Dykstra
%C   800 Hingham Street, Rockland, MA   02370
%D   2004
%G   1-932266-96-8
%I   Syngress Media, Inc.
%O   U$69.95/C$89.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1932266968/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1932266968/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1932266968/robsladesin03-20
%P   429 p.
%T   "Security Assessment: Case Studies for Implementing the NSA IAM"

The introduction tries to explain the NSA (National Security Agency)
IAM (Information Assurance Methodology), but is so heavily larded with
(management) buzzwords that no clear concept emerges.  The indications
are that the book is primarily aimed at those who have taken one of
the IAM courses, although there is an explicit statement that the
material can be used by untrained professionals and also by the
"customers" who are undergoing an assessment.

Chapter one describes IAM in words that make it seem very similar to
such tools as CoBIT (ISACA's Control Objectives for Information
Technology tool), ISO 17799, and the NIST (the US National Institute
of Standards and Technology) self-assessment guide.  However, almost
all of the chapter is devoted to a promotion of sharp negotiation of
the scope of an IAM contract, from the vendor perspective.  Chapter
two reiterates the need to control customer expectations and define
contract objectives.  (There is more jargon, and also the use of
idiosyncratic and undefined acronyms like PASV [Pre-Assessment Site
Visit].)  The Organizational Information Criticality Matrix (OICM)
described in chapter three is a kind of simplistic business impact
analysis.  In chapter four, system information criticality and the
System Criticality Matrix (SCM) are said to be more detailed than the
OICM.  Defining system boundaries is acknowledged to be difficult, but
neither the explanation nor the examples used are of any help in
clarifying the issue.  Both the text and the tables used in the "case
study" are extremely confusing in regard to the relation between
entries in the OICM and the SCM.

The system security environment, described in chapter five, is what
most people would know as corporate culture: the general attitudes and
behaviours common to an institution.  The book suggests finding and
using the CONOPS (concept of operations) documentation while admitting
that it may not be found in most commercial enterprises.  (The authors
don't explain that this is basically identical to the common policy
and procedures manuals, although they do eventually get around to
mentioning these texts.)  The TAP (Technical Assessment Plan) is
actually just a specific format for a detailed contract, so we have to
go through all of that type of editorial comment again, without really
getting much information about the recommended TAP structure.  Chapter
seven involves the assessment itself, and generally deals with
administrative details--and making sure that the customer does not
modify the scope of the contract.  The eighteen basic information
security models get listed, although this seems to be almost an
afterthought, rather than the core of the IAM itself.  Findings, the
report of the assessment results, are described in chapter eight.  A
sixteen page example does little more than provide a format.  The
close out report, in chapter nine, is a final sales meeting with the
customer.  The final report is given in a different, and more general,
format in chapter ten.  Cleanup work and followup sales of consulting
are discussed in chapter eleven.

The constant repetition of very basic ideas and the turgid and
buzzword-laden text make this work far longer than is justified by the
information provided.  In addition, the extreme emphasis on the
viewpoint of a vendor trying to sell a contract (and protect himself
from doing any unbillable work) is a severe limitation on the audience
for this tome.  Essential components of the IAM model and process do
not seem to hold any central place in the book, and the reader
discovers them almost by accident, and despite of the writing rather
than because of it.

copyright Robert M. Slade, 2004   BKSACSNI.RVW   20040721


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
                  Ambivalent? Well, yes and no.
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] REVIEW: "Security Assessment", Greg Miles et al, InfoSec News <=
Previous by Date:  [ISN] US Emergency Alert System open to hack attack, InfoSec News
Next by Date:  [ISN] DidTheyReadIt operations and security concerns, InfoSec News
Previous by Thread:  [ISN] US Emergency Alert System open to hack attack, InfoSec News
Next by Thread:  [ISN] DidTheyReadIt operations and security concerns, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]