Disappointing; an "audit everything" approach to incidents

When I saw Gene Spafford's glowing foreword to "IT Security," I expected a good read. This book did not deliver, and Spafford's suggestion that those seeking "deeper insight" consult "IT Security" rings hollow. I wondered if Spafford even read this very book when he wrote "all too often, management depends on the services or writings of self-professed experts whose whole experience has been in downloading and running pre-packaged penetration tools written by others." (p. xiv) The author's own words fit this mold. Consider these quotes:

"I thought these would be fun systems to break into, just because of the nature of the information stored. My last reason [to run a penetration test] was that I had some new toys I wanted to play with. Brad Powell, a known force in security circles for years, had just passed me some great new break-in tools." (p. 74) This sounds like the very sort of person chastised by Spafford.

I was also appalled by the author's readiness to disparage her clients. Consider these, from three "real security audits":

"Did the company consider legal data and financial data unimportant to secure? Or were Kenji and Dawn simply clueless?" (p. 75)

"In my opinion, he was a real loser." (p. 61)

"Joseph clearly fit into what I call the big-L category, and that's 'L' for loser." (p. 102)

Beyond these choice words by a consulting "professional," the author demonstrates no concept of proper incident response procedures. Anyone following her example will destroy evidence and corrupt investigations. In chapter 2, she "helps" an ISP known to be suffering extensive compromise: "within seconds, I had broken root and gained full control of their main sever." (p. 25). What sort of incident response expert collects evidence by breaking into a suspect system? Similar "advice" appears in chapter 3, where "arguably the best security guru in the company" responds by "testing the network for security vulnerabilities" during the latest crisis.

"IT Security" also shows a lack of understanding regarding IDS operations and the security "big picture." The author casually writes "Most IDS can detect the attack only if a signature exists. Sounds silly if you think about it. . . Make sure your IDS can detect new zero-day attacks." (p. 11) While this may make sense on the surface, this breezy statement has no supporting advice and is of little help. The author then claims "You need to know when your company last did a security audit. That is the only way to be sure that your systems are secure." (p. 27). The only thing an audit reveals is the level of risk the day the audit completed. Security is a journey, not a destination!

I rated "IT Security" three stars because the "Let's Not Go There" sections actually contain good advice. Beware the rest of the material.

Other Reviews

• Very scary diary of security problems
• Real world security horror stories from a security pro
• Buy a copy for you, buy a copy for your boss
• Practical Advice - Great read
• Disappointing; an "audit everything" approach to incidents