Book Review: IT Security: Risking the Corporation

Title: IT Security: Risking the CorporationAuthor: Linda McCarthyPublisher: Prentice HallISBN: 0-13-101112-XPrice: $29.99 USD

Reading IT Security: Risking the Corporation will not make you a computer security guru, but it may raise the awareness of someone who is new to computer security or uneducated about the risks insecure systems can create both internally and externally. This 250-page book is well spaced with a clean layout that is easy to read.

IT Security starts out with ten chapters of McCarthy's auditing war stories about computer security breaches at corporations. McCarthy states the stories have been pulled from her journals and include her experiences in real companies, with names changed to protect the parties involved. In chapter 12 McCarthy does an analysis of a hacker attack on a networked system. Most of the chapters seem to reiterate the messages "do not leave out-of-the-box installations running exposed" and "patch your systems". Each war story chapter concludes with some lessons learned and a prevention checklist, but I did not find them to be too insightful.

The stories McCarthy presents show many different facets of computer security. Topics range from internal compromises to the comedy of errors that can result from not having policies and procedures to follow when dealing with a break-in. The policies and procedures McCarthy illustrates a need for could be enlightening to technical people who are not used to working in a team environment. McCarthy also focuses on technical exploits, and social engineering methods do not even get a mention.

The appendix includes a listing of product vendors and software. The book contains a brief glossary of computer security related terms and a good index.

Throughout the book, McCarthy is so intent on homogenizing the stories to protect her clients and refraining from revealing hacker tools and techniques that it really detracted from the usefulness of this book. I disagreed with her approach and would rather learn the names and techniques being used against systems I monitor.

As somebody who is concerned about computer security in a firm setting, I do not think there was much for me to take away from this book. To anyone else who can name at least one cracking tool, I would say save your money. Web sites are available that can tell you more about computer security than this book.

This book is targeted for a less-technical audience and is exactly the kind of thing you could give to a company president, CEO or financial auditor, who has new responsibilities for computer auditing. It also might be helpful for anyone that controls the computer security budget in trying to create a response designed for more support. For people not used to dealing with computer security, this could be a tame way to shock them into awareness, even if it only starts to uncover the complicated mess of computer security.

If you are looking for a technical book for duplicating or thwarting computer system cracking methods, IT Security: Risking the Corporation is not the book. If you need to educate or scare a person in authority into a new understanding of computer security issues, this book may do the job.

Nathan Smith is a sysadmin for an intellectual property law firm. He is always looking for ways to move toward a more efficient and open environment.