The Basics of Information Security (book review)

Dr Jason Andress (ISSAP, CISSP, GPEN, CEH) has written a timely book on Information Security. Andress who is a seasoned security professional with experience in both the academic and business worlds, categorically demonstrates through his book that underlying the operation of any successful business today is how to protect your most valuable asset – “information”. Andress completed his doctorate in computer science in the area of data protection, and presently works for a major software company, providing global information security oversight and performing penetration testing and risks assessment.

In the last 12 months we have all witnessed a variety of large scale attacks on corporations and public sector agencies via hacking groups like Anonymous, who have used SQL injections, distributed denial of service (DDoS) attacks, advanced persistent threats (APT), and zero-day exploits to penetrate systems. Less visible and quantifiable have been insider attacks where data leakage has occurred as a result of industrial espionage.

Mobile computing, social networking, and cloud computing have all acted to heighten information security concerns prompting chief information officers (CIO) to reflect on their business practices. Of great significance today within an organizational setting, is the knowledge of how information is gathered, stored, and accessed by all staffing levels.

From the outset Andress offers models for discussing security issues – beginning with the confidentiality, integrity, and availability triad known as CIA. After doing so he describes the various types of attacks including interception, interruption, modification, and fabrication. He also introduces the difference between threats, vulnerabilities, and risk and discusses approaches to mitigating risks such as physical controls, logical controls, and administrative controls. While this is commonplace in most security fundamentals books, it is helpful to get the brief summary version so succinctly.

Chapter 1 ends with a discussion on a strategy common to military maneuvers known as “defense in depth”. A range of suggestions are made on how to ensure that each layer in defense in depth should be protected. Among these solutions are penetration testing, vulnerability analysis, backup, access control, encryption, content filtering, password hashing, logging, auditing, antivirus, firewalls, intrusion detection and prevention systems, stateful packet inspection, proxy, demilitarized zones and the like. This “defense in depth” approach with corresponding solutions forms the basis for segmentation of the book at large.

Chapter 2 introduces the reader to the fundamental concept of identification and describes various ways of authenticating a system user, from multifactor authentication to biometrics and hardware tokens. Chapter 3 describes authorization and access control lists (ACLs) with an emphasis on readwrite, and execute permissions. This chapter ends by discussing a variety of ACL models including: discretionary access control, mandatory access control, role-based access control and attribute-based access control. Chapter 4 is a brief chapter focusing on auditing and accountability, touching on the themes of non-repudiation, deterrence, intrusion detection and prevention, and the admissibility of records.

Chapter 5 covers cryptography and the cryptographic tools that are available for protecting data “at rest”, “in motion” and “in use”. The distinction is made in this chapter between protecting the data itself versus protecting the connection. Symmetric and asymmetric keys are described as well as other cryptographic tools such as hash functions, digital signatures, and certificates.

Chapters 6 and 7 offer some practical insights into operations security and physical security. In these chapters the reader is introduced to the importance of identifying which data in their corporation is of value. The operations security process begins with the identification of critical information, an analysis of threats and vulnerabilities and risks, and ends with an application of countermeasures. The emphasis is on (1) knowing the threats, (2) knowing what is of value to protect, and (3) the knowledge that if something of value is left unprotected, then inevitably it will be taken. Chapter 7 on physical security is about physical security controls, protecting people/data and equipment. It is mainly about infrastructure and the potential for physical threats and how the threats can be curbed through physical security controls. These controls are divided into three types: deterrent, detective and preventive. The chapter is comprehensive at looking at how businesses should choose appropriate sites for their particular type of work, people, data and equipment.

Chapters 8 through to Chapter 10 address network security, operating system security, and application security. The latter chapter is focused on how attackers might take advantage of very exposed online applications such as business-to-consumer electronic commerce self-service systems. Software development vulnerabilities, web security, and database security are each described in the final chapter.

The book includes illustrations and figures demonstrating key information security ideas, alerts to make the reader aware of particular insights, more advanced details for those wishing to do their own research above and beyond the contents of the book, and real world example summaries pertaining to key terms throughout the book. There is also an accessible bibliography mainly made up of online resources. The exercises at the end of each chapter also make this a good book for a first year security college class. It does not however include any practical exercises whatsoever, and so hands-on laboratory sessions would need to be developed to give the prospective student some idea of how some of these information security solutions would actually work in practice. All in all, this book is for those new to information security and for persons who are looking to learn about underlying concepts which underpin what is at the heart of information security in organizations. It is not an overly sophisticated book but it does achieve its purpose.

Citation: Katina Michael, [Book Review] "The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, J. Andress. Syngress Elsevier", Computers & Security, Volume 31, Issue 4, June 2012, Pages 634-635 DOI: