 The magazine of the Melbourne PC User Group Web Security - For the Bookshelf Major Keary |
 |
The media has recently carried reports of an alarming incidence of fraud, theft, and related crimes involving the Internet. The extent of the problem could well be understated because many enterprises don't report incidents. Of even more concern is the suggestion that the rate of Internet crime and attacks on privacy are increasing.
Many books have been published about computer and network security, but they tend to be aimed at administrators and other professionals, and to focus on some specific aspect of security.
Web Security, Privacy & Commerce, written by two authors each of whom has a special interest in computer security, has just been released in a second edition that has been substantially expanded and updated. The book stands out from the rest because it is written for users, administrators, and ISPs; it does not assume a strong technical background; and it deals with its subject at a practical, real-world level.
The primary audience includes people who are "familiar with the operation and management of a networked computer", who know "how to perform routine system management tasks, such as backups", who "have a working knowledge of the [Web] and know how to install and maintain ... [a] web server". A secondary audience includes "people who have a working familiarity with computers and the Web, but who are not familiar with the nitty-gritty details of computer security".
Anyone who wants an introduction to web security, whether from a perspective of privacy protection or from that of secure digital transactions, should look no further. This text provides a comprehensive coverage of the problems - including how attacks are mounted - and real-world solutions.
On the 'problem' side there are accounts of attacks, including some that were mounted to demonstrate the vulnerability of certain applications. On the 'protection' side the authors present excellent discussions and explanations of various tools and how they work; for example, Secure Sockets Layer (SSL), and public key cryptography.
Apart from technical matters, the book contains a lot of practical information and advice, such as protecting a system from damage by accident or damage/theft resulting from physical intrusion.
The book is in parts:
Web Technology, contains an overview of the Web security problem and discusses risk analysis; discusses the architecture of the Web; an overview of cryptography as it is used on the Web; secure sockets layer (SSL); and digital identification issues.
Privacy and Security for Users, deals with privacy techniques and technologies; theft prevention; and problems arising from mobile code (plug-ins, ActiveX, VB, Java, etc.).
Web Server Security discusses physical security for servers; host security; securing web applications; SSL server certificates; protecting the DNS and domain registration; and computer crime.
Security for Content Providers, looks at issues to do with content: access control, client-side digital certificates, filtering and censorship, privacy polices and regulations, digital payments, and intellectual property.
A feature of the book that impressed me is the way in which technical matters are dealt with in narrative form that makes for easy reading. Useful diagrams are used to make some of the more complex topics, such as public key systems, easier to follow.
I was also impressed by the panoramic view, so to speak, of the web-security landscape. This is no rambling tour of web trivia and sundry hints; it is a well structured text that includes information that does not appear in other web-security literature. There is some material, relating to legislative provisions, that is not directly relevant to non-U.S. users, although it points to the kind of information that local users should seek.
An appendix contains an account of Simson Garfinkel's experience in setting up and operating a small ISP. Even though some of the detail is U.S.-centric, it has its equivalent for local readers wherever they are. It presents a number of lessons, beginning with, "Whenever you are pulling wires, pull more than you need".
Before you read anything else about Internet security, read this book. Anybody considering use of the Web for commercial purposes, no matter how large or how small, should study it. Highly recommended.
| Garfinkel and Spafford: Web Security, Privacy and Commerce ISBN 0-596-00045-6 Published by O'Reilly, 756 pp., RRP $120.00 incl. GST |
 |
Reprinted from the July 2002 issue of PC Update, the
magazine of Melbourne PC User Group, Australia
   |