BKWHTHSA.RVW 20010814 "White Hat Security Arsenal", Aviel D. Rubin, 2001, 0-201-71114-1, U$44.99/C$67.50 %A Aviel D. Rubin rubin@research.att.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2001 %G 0-201-71114-1 %I Addison-Wesley Publishing Co. %O U$44.99/C$67.50 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %P 330 p. %T "White Hat Security Arsenal: Tackling the Threats" The distinctive of this book is that it approaches security as a series of specific problems or concerns. The non-distinctive, if you will, is that it attempts to address all audience levels; users, IT professionals, academics, and administrators. A series of icons identifies, at the beginning of each chapter and at particular sections of the text, who should read the various segments of the text. Part one examines the size and scope of the security issue. Chapter one starts out with perhaps our biggest problem, as security people: the insistence on secrecy by companies who get hit, and the fact that this obstinate refusal to discuss the facts makes our job, in protecting institutions, that much harder. A brief look at what may be at risk from security problems is given in chapter two. Recent email viruses are reviewed in chapter three, but they get an interesting treatment. The material, while technically sound, concentrates on the general security attitudes and lessons to be learned, as they apply to computer use in general. Part two looks at information storage. Chapter four's problem is to ensure that information is kept private if an attacker gets hold of your machine, and Rubin gives a good introduction to symmetric encryption and provides tips on passwords. If you are concerned about storage at remote sites over an insecure network, chapter five touches on passwords again, and asymmetric encryption. Chapter six is supposed to deal with securing backups, but seems to get a bit confused, although it does provide some good tips, as well as an overview of some online backup services. Part three considers the problems of data transfers over an insecure net. Chapter seven introduces authentication and some of the problems of public key management. Session keys and key exchange are examined in chapter eight: it has an academic icon at the top of the chapter, and non-specialist users might get a bit confused here. The aspects of virtual private networks are reviewed in chapter nine, and the book begins moving towards the usual technology oriented model. Part four looks at network threats. Chapter ten explains firewalls while eleven discusses a variety of network based attacks. Part five doesn't really have a central theme. The title of chapter twelve is "Protecting E-Commerce Transactions," but most of the text deals with the Secure Sockets Layer for Web browsers. Privacy, in email and Web browsing, is discussed in chapter thirteen, but many areas are left unexplored. For managers and users who are not specialists in computer and communications security, this book provides a readable and accurate introduction to a number of important topics. There are, unfortunately, a number of gaps in terms of the total security picture, but that is probably to be expected when taking the problem oriented approach. Rubin does not talk down to the audience and does not oversimplify, and this work therefore is superior to a number of the introductory books on the market. copyright Robert M. Slade, 2001 BKWHTHSA.RVW 20010814