Book Reviews

Computer Security for the Home and Small Office

Written by Thomas C. Green
Published by Apress, copyright 2004, 403 pages
ISBN: 1-59059-316-2
Rating 10 out of 10

Summary
This book does exactly what it is meant to, explain basic computer security to the "little people". Most security books are made for people with in-depth technical knowledge and that work in the IT field. However until recently there has been very little in the way of education for the home users (and small office) out there. This is a much-needed type of book that should be included whenever a computer is sold.

For the IT Pros
This book is still a great buy for you, however maybe not for your own reading but to give to family, friends, and clients. I'm sure you are sick of receiving unsolicited email day in and day out. If the home users start learning about the basics such as firewall, anti-virus, and even switching to Linux operating systems then it can make your day a lot easier.

For the Microsoft Bashers
Green does an excellent job of presenting the case to switch to non-Microsoft software, especially Mozilla and Linux in a concise fashion, repeatedly throughout the entire book. Unlike some other books though this is nicely done and backed up with solid reasons why you should switch to improve security.

Details
The book begins with a "Contents at a Glance" page which is a feature I wish more books would include. Greene explains the importance of egress filters and how an incoming only firewall is not enough. Right from the start he recommends Mozilla instead of Internet Explorer, which is especially timely now with the US-CERT/DHS recommendations. Along with suggesting an alternative browser he then goes into a good explanation of HTML email and it's related problems. After explaining the reason Green goes on to explain the method to protect against it such as in this case turning off the html service. This is a recurring theme though out the book. The author explains the WHY (usually in brief though so don't get too worried) and then shows the HOW to fix it. The complete easy to follow Mozilla setup walkthrough is a great next step because most people are not familiar with Mozilla.

In the first chapter Green talks about the "hobby hacker majority" and the basics of how script kiddies operate. Green throws in a play for Linux this time for anti-virus reasons. I also liked the good case studies and post analysis. One area that I believed could have been better were the comments about credit card fraud. Credit cards are going to be used and I believe they should have helped the reader such as ways to tell legit companies.

Software is a big problem, and anything not needed shouldn't be there which is something the book discusses and I wish more people would understand. It is always easier (and safer) to keep the fewest number of applications up to date and patched.

In chapter two there is more talk about Linux, this time about better "patchability" of the core system because of fewer dependencies from other software. I'm a big fan of Linux and am using it more and more often, and recommending it to my clients. However, Greene does present a strong case for making the Linux switch.

Some of the other high points of the chapter include a great explanation of having multiple accounts from a security perspective, interesting talk about Palladium and Linux compatibility (or lack thereof) and disabling Windows Services.

In chapter three the author talks about the user being the weak link, it seems you really cannot get around human nature. Green points out that customers expect fast friendly service, not security checks. It is a numbers game with SPAM email - it only takes 1 response to make it cost effective.

One of the areas that I do not believe is quite right was when Green says you can't trust them unless you know them. However, even if you trust the other party they may still be unknowingly sending you a virus or other malware.

Chapter four has a good netstat walkthrough and also a good introduction to Ethereal, and explains to start with netstat. The author goes over system monitoring. However I was surprised that there is no mention of Nessus and using differential scans, especially when they did bring up Ethereal.

Greene mentions doing a web search on unknown ports, which is a great tip that holds for many other situations when a person doesn't know something, such as names of running processes.

Chapter five has a good walkthrough of adjusting virtual memory volumes. There is no mention if we really need virtual memory any more though.

One of my pet peeves in books is when web site statistics terms are misused, and I believe Greene makes this all too common error in the chapter when he uses the term "hits" where a clearer word wold have been "results".

Chapter six is devoted to the "open-source escape hatch". In this chapter I especially liked Green's analogy to the Model T with the "just good enough" mentality of much of the software today. The author again drives the point for open source with his "value for money" examples.

Chapter seven begins with a lengthy discussion about self-proclaimed experts and FUD in the information security sector. This is important to keep in mind, but it seems like the point was long drawn out. The second part of the chapter is much better discussing such concepts as unintended consequences.