The Little Black Book of Computer Security, Second Edition

The book is written so that anybody can pick it up and use it. The author does not bother going into great detail explaining the security concerns or the various steps that he includes to resolve or mitigate the issues. However there is enough information there to point you in the right direction. That is the strength of the book, it is small and concise, but provides the information that administrators, or I.T. managers, or even everyday computer users, need to analyze their own security and identify areas that need strengthening. If the reader does not know the difference between a POST and a GET command, they will need to go elsewhere. But this book will at least have let them know that those are areas they should be concerned with. The Black Book won't make you a security guru, but it can be a great tool to help you audit and lock down your computer security.

The book is excellent as a checklist approach to security and how broad security really is. The weakness lies in the detail. For example, the author suggests removing the following characters as part of input validation ( & , !, #, $, %, *, @). Unfortunately if you field is for email the @ will be required. In addition, if someone is doing a SQL attack the still have all the great ones left (, =, '). My rating was based on the checklist, not on the technical advise.

Some computer security books are written for complete novices, while others assume some level of knowledge on the part of the reader. The Little Black Book of Computer Security does neither. Joel Dubin's book is written in such a way that anybody can pick it up and use it as an action plan. Dubin does not bother going into great detail explaining the security concerns or the various steps that he includes to resolve or mitigate the issues. But, there is enough information there to point you in the right direction. That is the strength of the book really. It is small and concise, but provides the information that administrators, or I.T. managers, or even everyday computer users, need to analyze their own security and identify areas that need strengthening. If the reader is going through the Secure Your Web Site chapter and doesn't understand what the 'Root Directory' is, or what the difference between a POST and a GET command are, they will need to go elsewhere to educate themselves. But, this book will at least have let them know that those are areas they should be concerned with. The Black Book won't make you a security guru, but it can be a great tool to help you audit and lock down your computer security.

This book is a very different approach to Information Security. I have to say, I think this style is long over do. The style that Joel uses is a checklist format to most security issues facing companies today. The book starts off with an introduction to Information Security, including many definitions and terms. This is the only place I really have any issues with the book. Some of the definitions are not in line with the Information Security community's definition. Without going into too much detail, I highly recommend that anyone who reads this book, please take the definitions lightly. Focus more on the actual content of the book. The first step the author takes is to categorize attacks. He does this to help layout the rest of the book. After categorizing attacks and risks, he introduces you to assessing your systems. This is where this book excels. The format from this point forward is in the form of lists. Almost checklist like in some chapters. The checklist could be used by anyone in technology that needs to understand or quickly get a grasp of what should be considered when auditing systems. The Email chapter is a good example of how these outlines are provided and how they can be helpful. The chapter starts out with a few paragraphs about overall security of email, such as sniffing and spoofing as threats. It then quickly turns to outline format starting with overall posture, encryption, providing privacy to specific users, and then heads to Spam and Infections. In this chapter the author also tangents and provides a sidebar on how fake emails can be generated and sent. This information could help one understand the simplicity in the attacks as well give some firepower to the reader to present to management when trying to gain funding for extra protection. Chapters that follow are Writing Policies, HR and Physical security, Software Access Controls, Email Security, Malware protection, Web site and Perimeter protection, Intrusion Detection and Response, Disaster Recovery, Wireless, Securing Code, Operating System Security, Protecting Privacy, Preventing Identity Theft, and Protecting Children. Each of these chapters provides an outline of absolute items that must be considered when discussing security on any of the subjects. The outlines are very well organized and some will even go into detail about other considerations. The book rounds out with future security trends and some cheat sheets, useful web links and other goodies that any reader could find helpful. Overall this book is for anyone in the technical field, whether hands on or management. The book is written in such a way that anyone wanting to audit or assess a specific in their environment would find this book helpful. I recommend this book and give it 4 stars.

As a complete novice, I found this book to be very helpful. I oversee a growing business with equally growing IT needs, and I have been increasingly concerned about the security of my computer systems. I was looking for something to give me a brief overview of the process and found it in this book. It also wasn't too technical for a businessperson, such as myself, to understand. I recommend to any business manager involved in IT security.