War of the words

2006-09-01

David Harley

Small Blue-Green World, UK
Editor: Helen Martin

Abstract

David Harley reviews Robert Slade's Dictionary of Information Security.


Introduction

See Dictionary of Information Security on Amazon

Title: Dictionary of Information Security

Author: Robert Slade

Publisher: Syngress

ISBN: 1-59749-115-2

Cover price: $29.95

Although Robert Slade's Dictionary of Information Security has only just made it to the printed page, it replaces his online security glossary, which for several years resided at http://victoria.tc.ca/techrev/secgloss.htm. (The glossary has now been removed, but the page remains as a home for errata and updates to the printed dictionary.)

Slade's credentials in the security field are impressive, as a writer, book reviewer and instructor. In fact, this book derives in part from his professional involvement with (ISC)2, whose Common Body of Knowledge (CBK) is the basis for the CISSP qualification. The web version of Slade's glossary was a popular free resource for CISSP candidates, and will no doubt be missed.

Glossary compilation in this area is a complex and frustrating task. The security field is knee-deep in obscure, inconsistently used jargon. Even worse, individuals and groups go to extravagant lengths to invent their own terminology, ignoring perfectly serviceable 'not invented here' usage. It is not easy to produce definitions that are reasonably short, clear, accurate, and which don't rely on an assumed knowledge of esoteric terms and concepts. Both the CBK and Slade's dictionary attempt to address these problems by introducing a consistent source of baseline definitions.

Target audience

The cover notes and the author's preface suggest that the book is appropriate for security professionals and specialists, CISSP and other certification candidates, students of computer science or computer security, system and network administrators, and managers with security responsibilities.

Structure

The book contains no fewer than five forewords, each by a well-known and long-established name in information security and assurance: Fred Cohen, Jack Holleran, Peter G. Neumann, Hal Tipton and Dr Eugene Spafford. In addition, there are short biographies of the author and foreword contributors, publisher and author acknowledgements, plus a preface and an 'Introduction to Infosecspeak' by the author.

Does a relatively short dictionary actually need five forewords? Perhaps not. However, the fact that so many acknowledged experts are willing to contribute says something about the author’s standing in the field.

The book is quite short, given the breadth of its subject matter: the main body runs to 222 pages, including the appendices. However, according to the author, the book's objective is to cover 'all the basic jargon of security, without bloating itself with every minor variation on a terminological theme'. The Preface and References sections include pointers to a range of alternative resources for those who need more detail in specific areas. (It's always a pleasure to read a security book whose author doesn't assume that no reader will ever need to consult another information resource.)

Unsurprisingly, the book follows a straightforward dictionary format (though there are no notes on pronunciation or, in general, etymology): a section for each letter of the alphabet, plus sections for symbols and numbers, which happen to contain one item each – '*-property' and '3DES'. There are, however, two appendices.

  • Appendix A is a references section: rather than attempting to supply references for each entry, the author simply lists (with a short evaluative description) a number of communications-related dictionaries, glossaries and encyclopaedias.

  • Appendix B is an extract ('The Lagos Creeper Box') from the fictional story Stealing the Network: How to Own a Continent (also published by Syngress). It is included on the grounds that the security risks to which the book refers could qualify it for a place in a security awareness program. This extract reminded me a little of the Net Force Tom Clancy franchise offshoot, albeit with added techie cred. Not without interest, but it sits oddly in the context of a security glossary.

Though much of Slade's previous writing is malware-related, this book is by no means virus-heavy. In fact, the malware content, albeit accurate as far as it goes, seems oddly dated. A number of older malware examples get a mention, but very little more recent than Nimda or Hybris. I agree that it would be counterproductive to try to include the name of every virus that the reader may have heard about. However, it seems odd to mention more-or-less extinct malware such as Michelangelo or Jerusalem, but to omit more recent high-profile malware such as Sobig and MyDoom.

Similarly, there is no specific reference to botnets, specific bots (though zombies get a mention), or to major network worms like Slammer and Blaster. It would improve the book to include a few more recent, high-impact examples, or even to restrict the number of examples and include only those with a really high profile. There are definitions of phishing (and even of spear phishing), pharming and identity theft, but not of money-laundering or mules (or even of puddle phishing). However, the author points out that this is very much a work 'in progress', anticipating ongoing updates and further editions for years to come. He even includes a pointer to a mailing list for anyone wanting to help with the project, so it seems likely that such anomalies will be dealt with in due course.

Does the book keep its promises?

The Dictionary of Information Security is well written, clear, and while no two security experts are going to agree on every aspect of every definition, accurate. The tone is informal and commendably anti-jargonist. Some of the entries are more flippant than others (check out Ohnosecond, the Ninety-Ninety Rule and Wannabe), but I found that rather refreshing.

A reasonably computer-literate general reader might find it a more consistent and accurate guide than most web resources, without being overly technical. It should find a ready market among computer science and information security students, and even more so among security certification candidates. It would be particularly useful to CISSP candidates to supplement the 'Official (ISC)2 Guide to the CISSP Exam'.

Security professionals needing a definition outside their own speciality may find it a good starting point, and the seasoned generalist might find it useful sometimes as a reliable memory jogger. However, I see it as being more useful to those unfortunate souls who find systems security administration or management thrust upon them suddenly, and who are struggling to keep their nostrils above the water line.

Most of all, it will be appreciated as a source of dependable baseline definitions by anyone who has learned to mistrust the astonishing volumes of misinformation that appear when summoned by Google searches on security terms.

The editing and proofing is generally to a high standard, though there are one or two loose ends: for instance, the definition of ItW refers to the WildList, but there is no definition of the WildList or the WildList Organization. EICAR gets a mention, but CARO does not. URLs are not generally included, which makes sense: it’s much less painful to maintain a resource that is impervious to the whims of webmasters. However, definitions of items such as BS7799 and ITIL might benefit from specific information on where to find reliable further information.

Slade's book fills a pretty wide gap in the market, and is highly recommended.

Found a useful infosecurity book? Why not tell us about it so we can let others know - email: [email protected].

View this book on Amazon

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.