Good content, again horrible writing

After having read "Information Security Risk Analysis"[ISRA], written by Peltier as well, I was somewhat unwilling to read this book, particularly because of the crappy proofreading of ISRA. Now that I finished this book, I can only say it's not as disappointing, but it's not a jewel either.

The content of the first 5 chapters is good. The writers clearly show that a structured approach to vulnerability assessments should be taken instead of blindly running a network vulnerability scanner and passing those (incomplete) results on to management. The methodology they propose is explained clearly, with good emphasis on practical issues (picking assessment team members, assessment team roles, customer feedback, report structures etc). In less than 80 pages they lay it out clearly.

Unfortunately, after describing the administrative part of assessments, they dedicate 60 to 70 pages to tool description. The info provided here is far from new and not set up particularly well. It's simply a list of scanning tools, including vendor comments, which could have been left out, since it's not a product marketing book. The tools and explanations can be found on a million other web pages, as well as in superb books such as Hacking Exposed.

The appendices are good. There's an ISO 17799 checklist with loads of useful questions one can ask during a vulnerability assessment, a very basic Windows vulnerability checklist (could have been left out), tables which I loved to have seen on an accompanying CD, as well as a sample vulnerability report.

For the content the bnook deserves 4 stars.

The writing, however, is horrible, which isn't surprising, given ISRA (see my review of that book to see what I mean). Again, loads of typos, and an unprecedented use of Ctrl+C and Ctrl+V. It even goes so far, that the summary of chapter 3 (pages 45/46) equals the summary of chapter 4 (page 69). Copy, paste, finished! Not suprisingly either is that the Acknowledgements section starts off with the exact same paragraph as in ISRA. Just copy and paste, who'll notice?

One of my favorite typos can be found on page 46, when the authors refer to the Windows vulnerability checklist as mentioned above:

[...]
windows NT 4.0 Server 4.0 was developed by Bob Cartwright, CISSP, of ESAAG, Concord, Calfornia [sic], and is presented here with his permission.
[...]

Sometimes the writers contradict themselves, or at least should have explained the content a lot better. See e.g.:
- page 82: e-mail is a topic-specific policy.
- page 83: e-mail is a system- and application-specific policy.

Another annoyance is the many references to books that they wrote themselves or were published by Auerbach (see pages xii, 2, 62, 63, 66, 81; I might have missed some). Again a nice marketing move, but annoying after two or three references.

So: 1 star for the writing. Averages 2.5 stars, which I'll round off to three stars, since the book outclasses ISRA, which I gave 2 stars.

Other Reviews

• Good content, again horrible writing
• Good, but with some weaknesses
• Read this book before you scan