am quite sympathetic to the idea that the realization
of a security
mindset or attitude (I frequently refer to it as professional
paranoia) is more important to attaining security than
technical skills. I'm sorry to say that this work is
not likely to
help you find, attain, or assess that protection perspective.
from the beginning of the book, readers will find a
eastern philosophy, and even mysticism, to it. There
virtues, an eight-fold path, and even repeated injunctions
reader to keep an "open mind"--a phrase which
those who have conversed
with devotees of the Buddhist faith will find rather
chapter one seems to demonstrate that Day is bringing
us only a newage vagueness in his description of the
We are to rid ourselves of negative thoughts, and follow
virtues, which we haven't been given yet. Computer security
is only a
decade old, we are told in chapter two, and constantly
expensive, and there are few practitioners, and lots
of bad guys out
there, and we are paralyzed by fear--but we have nothing
to fear but
fear itself! Chapter three finally lists the four virtues
security is ongoing, a group effort, requires a generic
is dependent upon education. I don't disagree with any
points (other than the philological debate about whether
be called virtues), and neither would any other security
However, they don't really provide us with much in the
way of help.
Eight security "rules," in chapter four, list
principles such as"
least privilege," which are also commonly known
in security work.
five is supposed to tell us how to develop a security
but actually seems to be an exercise in wishful thinking.
world were neatly divided into safe and unsafe zones,
and if our
systems all worked perfectly and in correspondence with
known requirements, and if everyone that we trusted were
competent in regard to their own defence, security would
easier. Decision-making is likewise simplistically seen
supported by the virtues and rules, in chapter six. There
superficial overview of blackhats and vulnerabilities
seven. Chapter eight has a standard review of risk analysis.
ideas on hiring security, and some thoughts on outsourcing,
chapter nine. The author gives his opinion on some security
chapter ten. Chapter eleven is another attempt to prove
rules can be used. We are given a final adjuration to
attitudes in chapter twelve.
this book is yet another attempt to write a general
security guide, without first ensuring that the material
structured, sound, complete, or useful.
copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321