Book Review: Internet Security for Business

Internet Security for Business
by Terry Bernstein, Anish B. Bhimani,
   Eugene Schultz, and Carol A. Siegel
Wiley Computer Publishing
452 pages, $34.95
ISBN 0-471-13752-9

---

Security is definitely the subject du jour for Internet books these days. It's probably the only topic that's generating more titles than Java programming. With a plethora of Internet security books on the market, you would naturally expect there to be some good ones and some very bad ones. I am pleased to report that "Internet Security for Business" is one of the good ones.

The book is aptly named. It is definitely aimed at businesses -- specifically at managers of computer networks that are connected to the Internet. The authors begin by defining the security threats, and then walk through the entire process of creating a policy and implementing it.

Analytically Speaking

We will begin by taking a look at the structure of the book. It was obviously designed to be a reference book, to be kept at hand. A four-page table of contents can get you to the general section of the book you want, and you can fine-tune using an index that consists of eleven pages of small print.

Like any good reference book, "Internet Security for Business" has a good glossary. It contains seventeen comprehensive pages of terms and definitions. The glossary contains almost every term I looked up. The only missing pieces were terms from the hacker world, like cracker, phreaker, H/P/A/V, and cypherpunk. It was, however, refreshing to see a book that defines the term "hacker" correctly (as a computer technophile) rather than making it synonymous with "computer vandal."

The "Where to Find More Information" appendix was likewise exemplary. It included eleven pages of Web sites, software, Usenet newsgroups, Internet mailing lists, FAQs (Frequently Asked Questions documents) and RFCs (Internet Request For Comment documents). I was disappointed to see only two books listed in this appendix. The body of the book referenced others that are pertinent, but I would have liked to see listings of other computer security books and books on related subjects like PGP and network administration.

Getting Down to Details

"Internet Security for Business" covers all the high-level details that you would want, such as considerations for security policies, political issues for policy implementation, and descriptions of available tools like firewalls and filters. Interspersed throughout this discussion are details, tips, and case studies that take you right into the meat of the issue, such as Unix systems that ship with a default "+" setting in the "trust" file, which is a major security hole.

The book also addresses a subject near and dear to the hearts of many UniForum members and IT Solutions readers: Why do so many of the Internet's security holes appear to be in Unix machines? The eloquently-stated answer is that "Holes tend to be found in systems in which it is beneficial to find a hole -- in other words, if there weren't so many Unix machines on the Internet, there may not be as many known holes in the Unix system." The authors then remind us of Willie Sutton's famous quote when asked why he robbed banks: "Because that's where the money is."

The book then continues on to point out that all systems are potential security risks, not just Unix boxes. Holes have been found in many different operating systems, and we have by no means found all of the holes yet. While the authors don't explore specific implementational details of security on NT, OS/2, and Macintosh operating systems, the vast majority of the subject matter in the book is applicable to any system connected to the Internet.

Required Topics

Just as figure skating has its compulsory moves, certain topics are absolutely necessary in an Internet security book, and the authors do address them. The list includes firewalls, picking passwords, encryption (especially email encryption), spoofing, system configuration, and security policies.

The book also contains a description of physical security, including such topics as server co-location (putting your Internet machines in someone else's facility). Physical security is often overlooked due to the mistaken belief that security threats always come from the outside, and "Internet Security for Business" gives the subject the attention it deserves.

There is an excellent description of packet filtering, which goes deeper than most of the overview guides to Internet security on the market today. It covers packet wrappers, protocol translation, port assignments, and a number of tricks to bypass shoddy packet filtering. The authors also discuss how much is too much, explaining how to find the tradeoff point between leaving your system wide open and closing it up so tight that your employees can't get anything done.

Looking In From the Other Side

No book about security is complete without a discussion of the people who attempt to subvert that security. In this case, that means crackers, disgruntled employees, competitors, and hackers having fun. The authors examine the motivations of the people who might attempt to break into your systems, and even the tools that they use.

Particularly pertinent is the subject of "social engineering." This is the practice of tricking people into releasing information that compromises security. Crackers consider it the most powerful tool in their arsenal, and many security consultants admit that there is simply no way to prevent it. A skilled cracker can often get access to your system without ever touching a keyboard, simply by fooling employees into revealing their passwords or access codes.

Trojan horses are discussed at some length, and there is even a case study of the infamous Crackerjack program. A Trojan horse is a program that masquerades as something else. It might call itself a solitaire game when its real function is to vandalize your computer. Crackerjack was distributed as a tool for testing the passwords on a Unix system. It analyzes the password file and reports back the passwords it was able to crack. An early version of Crackerjack did a bit more, however. In addition to providing the system administrator with a list of "weak" passwords, it also forwarded the list to the program's author, who compiled a massive list of compromised user accounts.

Personally, I would have liked to have seen more on this subject. The "Where to Find More Information" appendix should have listed more of the hacker/cracker tools discussed in the body of the book, like Crackerjack and the infamous SATAN program, which received only passing mention. Just as football teams carefully scout and research their competition, security managers must carefully study those who would compromise their systems' security.

A discussion of H/P/A/V (hacking/phreaking/anarchy/virus) tools, bulletin board systems, Usenet newsgroups, and Web sites would have done a great deal for this book. The authors obviously can't cover everything in less than 500 pages, but this subject could have used more coverage.

Conclusions

I would recommend this book for anyone who needs an understanding of Internet security from a business point of view. It has enough technical detail for even techies to get something out of it, yet non-technical managers can skim over the heavy parts and gain a valuable understanding of the fundamentals of Internet security. Kudos to the authors, and to Wiley for another fine computer book.