<< 1 >>
Rating: 
Summary: Web Security, Privacy & Commerce
Review:
The Internet is an unsecured communication system; it was not designed to be inherently secure. A simple act of browsing a Web page on a remote computer can involve sending packets of information to and receiving them from more than a dozen different computers operated by just as many different organizations.
The division of responsibility among multiple organizations make it possible for each of these organizations and more to eavesdrop on your communication or even to disrupt them. There is no privacy once you visit a Website because the Internet explorer stores cookies in a folder in the history directory, these cookies can be very powerful, anyone who can gain access to your cookies can learn information about you.
In today's World Wide Web environment, you must stay abreast of newly discovered vulnerabilities if you wish to maintain a secure computer that is connected to the Internet. The day has long passed when security vulnerabilities were kept quiet. These days vulnerabilities are usually publicized with a breath taking speed once they are discovered. What's more once vulnerability is known exploits are quickly developed and distributed across the Internet. In many cases system administrators only have a few hours between the time that a vulnerability is first publicized and the time when they will start to be attacked with it. Also some flaws exploit protocols you need to allow through your firewall. Despite all the new vulnerabilities been created and discovered, the underlying concept of web security have changed very little and as such this book concentrated on teaching concept and principles rather than specific commands and key strokes its done a good job out of it.
FIREWALLS are thought to improve computer security because they can exercise precise control over what information is passed between two networks. Firewalls do nothing to protect against insider misuse, virus or other internal problems. It only provides the illusion of better security.
A good computing infrastructure will continue to function in the face of adversity, being man made or natural disaster. Building a secure computing environment is requires careful planning and continued vigilance. There is no substitute for vigilance.
A secure server is not a server that implements cryptographic protocols so that data transfer cannot be eavesdropped upon or a Web server that will safeguard any personal information received or collected, not subverting browsers to download viruses or other rogue programs onto user computers.
Simson Garffinkel and Gene Spafford, concludes that a Secure Web Server is one that is resistant to a determined attack over the Internet or from corporate insider.
Generally accepted principles in the computer Security consist of recommendations, procedures and policies that are known as Best Practices.
But even the Best Practices has its own problems, the biggest problem is that there is no really one set of best practices that is applicable to all websites and Web users, the authors of this book recommends a combination of Risk Analysis and Best Practices.
Unfortunately Simson Garfinkel knows that the application of risk analysis to the field of computer networks has been less successful.
It is impossible to calculate the risk that an attacker will be able to obtain System Administrator privileges on your Web Server?
I have never seen a book packed with so much information on Web security as this book I will recommend it to anyone who wants to have a good foundation in Web security, the understanding that I have gained reading this book is unbeliveable.
This book is about Web Security, privacy and commerce the World Wide Web.
Organized into five parts it examines the security policies in use on the Web today and the strategies available to minimize the risk in using the World Wide Web.
Part 1. WEB TECHNOLOGY: -Examines the underlying Technology that makes up today's World Wide Web and how the Internet works in general.
The Architecture of the World Wide Web, Cryptography basics, What Cryptography can't do, Legal Restrictions on Cryptography, Understanding Secure Sockets Layer (SSL) and Transport Layer Security(TSL), What does SSL/TSL Really Protect:- actually it does little to protect against the real attacks that consumer and the merchants have experienced on the Internet. Digital Identification:-{Passwords, Biometrics, Digital Signatures, Digital Certificates, CAs, and Public Key Infrastructure (PKI). Part 2. Privacy and Security for Users,
Understanding Cookies, Privacy Protecting Techniques, Choosing a Good Service Provider, Avoiding Spam and Junk Email, Identity Theft, Privacy-Protecting Techniques, Blocking Ads and Crushing Cookies, Backups and Antitheft, Mobile Code Plug-Ins, ActiveX, and Visual Basic, The Risk of Downloaded Code, Java, JavaScript, Flash, and Shockwave. Part 3. Web Server Security:
Physical Security for Servers, Protecting Computer Hardware, Protecting Your Data, Host Security for Servers, Secure Remote Access and Content Updating, Firewalls and the Web, Securing Web Applications, Deploying SSL Server Certificates, When things go Wrong, Securing Your Web Service, Protecting Your DNS, Computer Crime, Your Legal Options After Break-In. Part 3. Security For Content Providers:
Controlling Access To Your Web Content, Access Control Strategies, Client-Side Digital Certificates, Code signing and Microsoft's Authenticode, Why Code Signing, Pornography, Filtering Software and Censorship, Privacy Policies, Legislation, and P3P, Children Online Privacy Protection Act, Digital Payments, Internet-Base Payment Systems, How to Evaluate Credit Card Payment System,
Intellectual Property and Actionable Content, Copyright, Patent, Trademarks,
Part 5. Appendixes: Lessons From Vineyard.NET, the Platform for Privacy Preferences Projects.
Rating: 
Summary: Right on the mark!
Review: Having spent a dozen years in what used to be called EDP security, but not having concentrated in the area recently, I found that the book was perfect. It avoids belaboring what is now obvious to everyone, and succeeds in covering the whole spectrum of web security issues in a single volume. It is hard to write about the history of monetized plastic (credit, debit, and smart cards) without either going into great detail or sounding like there is a great new world dawning, but Garfinkel and Spafford tread that narrow line. Similarly, the nuances of PKI very quickly can dominate anything written about it, and the authors succeed in avoiding this trap. It was interesting to see that the authors basically dealt with Denial of Service attacks a couple of years before the "famous" DOS attacks on Yahoo and E-Trade. In short, reading the book won't make you a web security maven, but it most likely will prompt you to ask the right questions about the subject, and can certainly make you sound like one! Super book!
Rating:
Summary: A good overview, but aging
Review: I spent quite a bit of time going through this book. It's not a bad book. Very comprehensive and thorough, and generally a pretty well balanced point of view. It acknowledges security is a trade off, and looks at many different options.I have 2 main problems with it. Firstly, it's simply getting a little old. While 85% of it is still relevant, I'd like to see a second edition. They spend too much time talking about Netscape 3 problems for my liking. Second is the reason it lost a star. The guys who wrote this obviously know their stuff, but in some ways know it a little too well. The result of this is when they go to explain a subject (public key infrastructure for example) they have a tendency to jump straight into the details, implementation issues, problems, etc, without ever giving you a big picture of it first - or only very briefly if they do. If you understand the basic principles of all security concepts, then this is great, but if like me, you bought this book to learn about fundamentals, I found myself on several occassions doing research on the web to understand the big picture before going back to the book. But for a good overview for people who are at least semi-technical, it's not bad.
Rating:
Summary: Valuable to Technical & Non-Technical Readers
Review: This book is an ideal introduction to the broad landscape of security methods and technologies for non-technical users. It is also an excellent resource for IT professionals who need to quickly get up-to-speed on web security. My background is mostly "big iron", consisting of 24 years of mainframe and mid-range experience and a little more than a year in distributed computing (UNIX/Linux, network, etc.). In the good old days security consisted of RACF, ACLs, and some common sense rules about physical and logical access controls. Not so today, and until I read this book I had a nagging feeling that there was a large gap in my professional knowledge. Moreover, as a home user who spent a lot of time on the web I would get frustrated by messages issued by my browser about certificates. This book came to my rescue on all counts. The first two sections, The Web Security Landscape and User Safety, were illuminating. If a non-technical user only read these parts of the book he or she would come away with a good understanding of the risks faced on the web, and how to mitigate or eliminate them. The one complaint I have about these two sections is the material is woefully out of date. I subtracted a star from my rating for this reason. The next three sections of the book is a wide survey of security technologies that cover digital certificates, cryptography, web server security. These provided me with a basic understanding of technologies that I need to know as an IT professional working in distributed environments. When comparing what I needed to know about security in the mainframe world to what I need to know as an IT consultant I could not help thinking, "We're not in Kansas anymore!" The material was clear and easy to understand and built my personal self-confidence. This part of the book will not make you an expert by any means, but you will come away with a good grasp of the elements of web security and a very basic understanding of how everything works and fits together. Commerce and Society is the title of the book's last section and contains thought-provoking information on topics such as digital payments, censorship technology and the such. I especially liked the two chapters that addressed civil and criminal legal issues. Despite the fact that this book is out of date with respect to specific products it is a great introduction to web security. Unlike other O'Reilly books that are deeply technical, this one can be easily understood by home and business users as well as IT professionals. I personally gained a lot from the book and highly recommend it.
Rating:
Summary: Valuable to Technical & Non-Technical Readers
Review: This book is an ideal introduction to the broad landscape of security methods and technologies for non-technical users. It is also an excellent resource for IT professionals who need to quickly get up-to-speed on web security. My background is mostly "big iron", consisting of 24 years of mainframe and mid-range experience and a little more than a year in distributed computing (UNIX/Linux, network, etc.). In the good old days security consisted of RACF, ACLs, and some common sense rules about physical and logical access controls. Not so today, and until I read this book I had a nagging feeling that there was a large gap in my professional knowledge. Moreover, as a home user who spent a lot of time on the web I would get frustrated by messages issued by my browser about certificates. This book came to my rescue on all counts. The first two sections, The Web Security Landscape and User Safety, were illuminating. If a non-technical user only read these parts of the book he or she would come away with a good understanding of the risks faced on the web, and how to mitigate or eliminate them. The one complaint I have about these two sections is the material is woefully out of date. I subtracted a star from my rating for this reason. The next three sections of the book is a wide survey of security technologies that cover digital certificates, cryptography, web server security. These provided me with a basic understanding of technologies that I need to know as an IT professional working in distributed environments. When comparing what I needed to know about security in the mainframe world to what I need to know as an IT consultant I could not help thinking, "We're not in Kansas anymore!" The material was clear and easy to understand and built my personal self-confidence. This part of the book will not make you an expert by any means, but you will come away with a good grasp of the elements of web security and a very basic understanding of how everything works and fits together. Commerce and Society is the title of the book's last section and contains thought-provoking information on topics such as digital payments, censorship technology and the such. I especially liked the two chapters that addressed civil and criminal legal issues. Despite the fact that this book is out of date with respect to specific products it is a great introduction to web security. Unlike other O'Reilly books that are deeply technical, this one can be easily understood by home and business users as well as IT professionals. I personally gained a lot from the book and highly recommend it.
Rating:
Summary: A good overview, but aging
Review: This book, together with Virtual Private Networks, 2ND Edition, (ISBN: 1-56592-529-7) O'Reilly & Associates, Copyright 1998, form the basis for the course MIS4245 - Net Security and Legal Issues - at Northeastern University (University College, evening division) here in Boston. Since I am currently teaching this course for the very first time I have found it to be well-targeted for the Business Administration undergraduate level students. The prose is pleasant and often entertaining, with the technical information provided with just the right balance of detail and concept, reinforced with recent related anectdotal examples. While it could stand some some "updating" - (technology is moving at blinding speed in this area) - the authors' basic messages of why security is important, typical techniques employed by the "bad guys", and the emphasis on protection and prevention versus reaction and recovery all strike true, loud and clear. In my regular day job, as someone involved in the field of Software Quality Assurance for web-based applications, I ordered everyone on my staff a copy for their personal use. At the Amazon price, it is a bargain!
Rating:
Summary: Definitive Guide for Internet Security
Review: This books not only explains system security, it goes into technical detail, something that 95% of books always lack. I shouldn't have to say this book is good, its from O'Reilly. It covers PGP and how it works (not jsut what it is), SSL, TLS, login security, CGI security (they give actual code examples not ideals), hardware based security such with things like smart cards. There is also a chapter that explains what to do after you have been broken into and explains your legal routes of actions also. I also liked the fact that there is a chapter that explains the author's route of actions while working at an ISP . This book is a good buy if you need to learn about security and e-commerence and all the options you have relating to security. I've read alot of books, and its rare to find a book that explains things and also gives technical details. I know I'm not the only person who is sick of seeing every book being written for people who have never used a computer before and do not give code examples and real world implimentation. The only bad thing I have to say about this book is that there isn't a chapter that explains creating your own encryption method for Perl/C/PHP/ASP or the math behind it, but the material they do have does a good job of getting you very near this subject.
Rating:
Summary: Definitive Guide for Internet Security
Review: This books not only explains system security, it goes into technical detail, something that 95% of books always lack. I shouldn't have to say this book is good, its from O'Reilly. It covers PGP and how it works (not jsut what it is), SSL, TLS, login security, CGI security (they give actual code examples not ideals), hardware based security such with things like smart cards. There is also a chapter that explains what to do after you have been broken into and explains your legal routes of actions also. I also liked the fact that there is a chapter that explains the author's route of actions while working at an ISP . This book is a good buy if you need to learn about security and e-commerence and all the options you have relating to security. I've read alot of books, and its rare to find a book that explains things and also gives technical details. I know I'm not the only person who is sick of seeing every book being written for people who have never used a computer before and do not give code examples and real world implimentation. The only bad thing I have to say about this book is that there isn't a chapter that explains creating your own encryption method for Perl/C/PHP/ASP or the math behind it, but the material they do have does a good job of getting you very near this subject.
<< 1 >>
|
