2006-09-01
Abstract
David Harley reviews Robert Slade's Dictionary of Information Security.
Copyright © 2006 Virus Bulletin
See Dictionary of Information Security on Amazon
Title: Dictionary of Information Security
Author: Robert Slade
Publisher: Syngress
ISBN: 1-59749-115-2
Cover price: $29.95
Although Robert Slade's Dictionary of Information Security has only just made it to the printed page, it replaces his online security glossary, which for several years resided at http://victoria.tc.ca/techrev/secgloss.htm. (The glossary has now been removed, but the page remains as a home for errata and updates to the printed dictionary.)
Slade's credentials in the security field are impressive, as a writer, book reviewer and instructor. In fact, this book derives in part from his professional involvement with (ISC)2, whose Common Body of Knowledge (CBK) is the basis for the CISSP qualification. The web version of Slade's glossary was a popular free resource for CISSP candidates, and will no doubt be missed.
Glossary compilation in this area is a complex and frustrating task. The security field is knee-deep in obscure, inconsistently used jargon. Even worse, individuals and groups go to extravagant lengths to invent their own terminology, ignoring perfectly serviceable 'not invented here' usage. It is not easy to produce definitions that are reasonably short, clear, accurate, and which don't rely on an assumed knowledge of esoteric terms and concepts. Both the CBK and Slade's dictionary attempt to address these problems by introducing a consistent source of baseline definitions.
The cover notes and the author's preface suggest that the book is appropriate for security professionals and specialists, CISSP and other certification candidates, students of computer science or computer security, system and network administrators, and managers with security responsibilities.
The book contains no fewer than five forewords, each by a well-known and long-established name in information security and assurance: Fred Cohen, Jack Holleran, Peter G. Neumann, Hal Tipton and Dr Eugene Spafford. In addition, there are short biographies of the author and foreword contributors, publisher and author acknowledgements, plus a preface and an 'Introduction to Infosecspeak' by the author.
Does a relatively short dictionary actually need five forewords? Perhaps not. However, the fact that so many acknowledged experts are willing to contribute says something about the author’s standing in the field.
The book is quite short, given the breadth of its subject matter: the main body runs to 222 pages, including the appendices. However, according to the author, the book's objective is to cover 'all the basic jargon of security, without bloating itself with every minor variation on a terminological theme'. The Preface and References sections include pointers to a range of alternative resources for those who need more detail in specific areas. (It's always a pleasure to read a security book whose author doesn't assume that no reader will ever need to consult another information resource.)
Unsurprisingly, the book follows a straightforward dictionary format (though there are no notes on pronunciation or, in general, etymology): a section for each letter of the alphabet, plus sections for symbols and numbers, which happen to contain one item each – '*-property' and '3DES'. There are, however, two appendices.
Appendix A is a references section: rather than attempting to supply references for each entry, the author simply lists (with a short evaluative description) a number of communications-related dictionaries, glossaries and encyclopaedias.
Appendix B is an extract ('The Lagos Creeper Box') from the fictional story Stealing the Network: How to Own a Continent (also published by Syngress). It is included on the grounds that the security risks to which the book refers could qualify it for a place in a security awareness program. This extract reminded me a little of the Net Force Tom Clancy franchise offshoot, albeit with added techie cred. Not without interest, but it sits oddly in the context of a security glossary.
Though much of Slade's previous writing is malware-related, this book is by no means virus-heavy. In fact, the malware content, albeit accurate as far as it goes, seems oddly dated. A number of older malware examples get a mention, but very little more recent than Nimda or Hybris. I agree that it would be counterproductive to try to include the name of every virus that the reader may have heard about. However, it seems odd to mention more-or-less extinct malware such as Michelangelo or Jerusalem, but to omit more recent high-profile malware such as Sobig and MyDoom.
Similarly, there is no specific reference to botnets, specific bots (though zombies get a mention), or to major network worms like Slammer and Blaster. It would improve the book to include a few more recent, high-impact examples, or even to restrict the number of examples and include only those with a really high profile. There are definitions of phishing (and even of spear phishing), pharming and identity theft, but not of money-laundering or mules (or even of puddle phishing). However, the author points out that this is very much a work 'in progress', anticipating ongoing updates and further editions for years to come. He even includes a pointer to a mailing list for anyone wanting to help with the project, so it seems likely that such anomalies will be dealt with in due course.
The Dictionary of Information Security is well written, clear, and while no two security experts are going to agree on every aspect of every definition, accurate. The tone is informal and commendably anti-jargonist. Some of the entries are more flippant than others (check out Ohnosecond, the Ninety-Ninety Rule and Wannabe), but I found that rather refreshing.
A reasonably computer-literate general reader might find it a more consistent and accurate guide than most web resources, without being overly technical. It should find a ready market among computer science and information security students, and even more so among security certification candidates. It would be particularly useful to CISSP candidates to supplement the 'Official (ISC)2 Guide to the CISSP Exam'.
Security professionals needing a definition outside their own speciality may find it a good starting point, and the seasoned generalist might find it useful sometimes as a reliable memory jogger. However, I see it as being more useful to those unfortunate souls who find systems security administration or management thrust upon them suddenly, and who are struggling to keep their nostrils above the water line.
Most of all, it will be appreciated as a source of dependable baseline definitions by anyone who has learned to mistrust the astonishing volumes of misinformation that appear when summoned by Google searches on security terms.
The editing and proofing is generally to a high standard, though there are one or two loose ends: for instance, the definition of ItW refers to the WildList, but there is no definition of the WildList or the WildList Organization. EICAR gets a mention, but CARO does not. URLs are not generally included, which makes sense: it’s much less painful to maintain a resource that is impervious to the whims of webmasters. However, definitions of items such as BS7799 and ITIL might benefit from specific information on where to find reliable further information.
Slade's book fills a pretty wide gap in the market, and is highly recommended.
Found a useful infosecurity book? Why not tell us about it so we can let others know - email: [email protected].
View this book on Amazon
