The Little Black Book of Computer Security
Written by Joel Dubin
This book is a very different approach to Information Security. I have to say, I think this style is long over do. The style that Joel uses is a checklist format to most security issues facing companies today. The book starts off with an introduction to Information Security, including many definitions and terms. This is the only place I really have any issues with the book. Some of the definitions are not in line with the Information Security community's definition. Without going into too much detail, I highly recommend that anyone who reads this book, please take the definitions lightly. Focus more on the actual content of the book.
The first step the author takes is to categorize attacks. He does this to help layout the rest of the book. After categorizing attacks and risks, he introduces you to assessing your systems. This is where this book excels. The format from this point forward is in the form of lists. Almost checklist like in some chapters. The checklist could be used by anyone in technology that needs to understand or quickly get a grasp of what should be considered when auditing systems.
The Email chapter is a good example of how these outlines are provided and how they can be helpful. The chapter starts out with a few paragraphs about overall security of email, such as sniffing and spoofing as threats. It then quickly turns to outline format starting with overall posture, encryption, providing privacy to specific users, and then heads to Spam and Infections. In this chapter the author also tangents and provides a sidebar on how fake emails can be generated and sent. This information could help one understand the simplicity in the attacks as well give some firepower to the reader to present to management when trying to gain funding for extra protection.
Chapters that follow are Writing Policies, HR and Physical security, Software Access Controls, Email Security, Malware protection, Web site and Perimeter protection, Intrusion Detection and Response, Disaster Recovery, Wireless, Securing Code, Operating System Security, Protecting Privacy, Preventing Identity Theft, and Protecting Children.
Each of these chapters provides an outline of absolute items that must be considered when discussing security on any of the subjects. The outlines are very well organized and some will even go into detail about other considerations. The book rounds out with future security trends and some cheat sheets, useful web links and other goodies that any reader could find helpful.
Overall this book is for anyone in the technical field, whether hands on or management. The book is written in such a way that anyone wanting to audit or assess a specific in their environment would find this book helpful.