[LWN Logo]

Date: Wed, 10 Feb 1999 19:58:18 -0700 (MST)
From: mea culpa <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] REVIEW: "Fighting Computer Crime", Donn B. Parker


Forwarded From: "Rob Slade" <slade@sprint.ca>

BKFICMCR.RVW   981106

"Fighting Computer Crime", Donn B. Parker, 1998, 0-471-16378-3,
U$34.99/C$49.50
%A   Donn B. Parker dparker@sric.sri.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1998
%G   0-471-16378-3
%I   John Wiley & Sons, Inc.
%O   U$34.99/C$49.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com
%P   512 p.
%T   "Fighting Computer Crime: A New Framework for Protecting
      Information"

Parker feels that too much of the data security field concentrates on
technical answers to the problems of reliability, integrity, and
availability of data, and doesn't pay sufficient attention to those people
who are deliberately out to read, steal, or ruin your information and
systems.  Personally, I find it rather ironic that he defines "crimoids,"
in chapter one, as minor events promoted to much higher significance by
the media, and public misperceptions.  In the non-specialist realm, more
people spend more time worrying about "hackers" than ever back up their
drives.  (I am reminded of a friend;  an intelligent and educated person
who started his career programming large and sophisticated information
systems and who has now risen to the executive ranks; who has for years
refused to get a modem for his home computer.  In spite of his frequently
expressed desire for access to the Internet, and my repeated assurances
that with his current computer and operating system there is no hidden
danger, he remains convinced that the mere attachment of a modem to his
machine will allow someone to break into his computer and damage it.) 

Who, then, is this book written for?  The author does not say, but what he
does say in the preface seems to indicate that he is not writing for those
whose business cards make reference to security.  (I have neither argument
nor inclination to dispute Parker's assertion that security
"professionals" do not really deserve the designation.) But if this text
is aimed at the general public, chapter one's emphasis on the dangers and
lack of protection would seem more inclined to incite further panic,
rather than a realistic and measured response. 

Chapter two is an interesting and useful examination of an often unasked
question in the field: what is the nature of the information we are
supposedly securing?  There are valuable side points, such as both the
danger and the opportunity in the security arena presented by the Year
2000 problem.  At the same time, I have to note that an erroneous
description of the Cascade virus is an example of Parker's asserting
points that are just beyond the available facts, and, for me anyway, has
an unfortunate effect on the trustworthiness of the work as a whole.  The
review of cybercrime, in chapter three, has more reference to journalism
and other forms of fiction than to reality, but I have to agree with
everything said there.  Computer misuse and abuse is discussed in chapter
four.  (As if to make up for chapter two, the section on viruses is very
good.)  Network misuse is covered in chapter five, and although I still
have trouble believing in the reality of salami attacks (Parker's sole
example is said to have resulted in a conviction, but no citation is
given) I am a bit more willing to accept his broader definition.  Chapter
six is extremely strong in portraying a realistic and broadly based
analysis of characteristics of computer criminals.  A similarly informed
and balanced approach distinguishes chapter seven, regarding hacker
culture, but there is also a universally condemnatory tone that is not
wholly justified by the facts as presented.  Chapter eight is a very
helpful first step for those wanting to deal in the art of computer
security. 

Chapter nine reviews the deficiencies in most current security practices,
noting overprotection in some areas while ignoring loopholes in others,
and a flowery jargon that serves mostly to hide the fact that security
people just don't feel very comfortable with what is going on.  However,
Parker's new model of security, in chapter ten, while it is very clear and
useful, does not extend recent work in, say, electronic commerce.  On the
one hand, this congruence does support the model, but on the other, one
can't really say it is too novel.  The popular, but demonstrably
incomplete, risk assessment study is de-emphasized in favour of a more
difficult, but more realistic, baseline security standard in chapter
eleven.  Details on how to conduct such a study are very helpfully given
in chapter twelve, although the benchmark chart is going to be much harder
to come by than is made clear in the text.  Chapter thirteen provides a
practical and useful set of criteria for determining control objectives. 
A number of security tactics are detailed in chapter fourteen.  Chapter
fifteen takes the larger strategic view.  (I was delighted to see the
inclusion of a section on corporate ethics in this chapter.  Recently I
contracted to produce a security document for an educational institution,
and was told to take the section on ethics out.)  Management of security,
in chapter sixteen, includes provisions for training, policy, and other
factors.  Chapter seventeen finishes off with a look to the future.  The
material, while thought- provoking, is possibly more likely to generate
arguments than solutions. 

Parker's stance on security in general definitely puts him in the camp of
the professional paranoids.  However, absent the first and last chapters,
there is a lot of good, solid knowledge here to help educate any security
practitioner.  The material in the second half of the book is just as
valuable to the security process as the more technical works such as
"Practical UNIX and Internet Security" (cf.  BKPRUISC.RVW) by Spafford and
Garfinkel, albeit in quite a different way.  An informed security policy
is every bit as important as a good set of "access" controls. 

copyright Robert M. Slade, 1998 BKFICMCR.RVW 981106

-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]