Information security failures usually get lots of attention. Some organization or Web site gets attacked, and hundreds of thousands of passwords or a spreadsheet full of sensitive user information gets released. Or the information falls into the hands of people with fewer scruples. Maybe someone just gets careless, leaving a thumb drive in the car and someone else walks off with it. You only have to look at security-oriented Web sites to come up with far too many cases like these. Some of the failures are less publicized, but that might in itself cause more problems, as the individuals at risk may not know they’re at risk.
On the other hand, success stories--when a company or organization manages to keep their information secure and safe--are almost never heard about. Such successes usually don’t come without a lot of work and a lot of knowledge. This book is a good way for newcomers to the security field, or those who want an overview of a goodly sampling of security issues, to start understanding both the issues and possible defenses.
It is very much a workbook, with numerous in-line problems to work on and a nice set of questions and exercises for each chapter; answers appear in an appendix. Many of the exercises involve using specific software to look at events as they occur. For more resources, the book has an associated Web site (http://www.appliedinfsec.ch) with three Linux virtual machines set up to run the various exercises in VirtualBox, which is available for Linux, Windows, and Mac OS systems.
The book includes chapters on basic security principles, network services, authentication, log analysis, Web application security, certificates, and risk management. The appendices include a sample longer project (suitable for classroom use), a very nice template for a risk analysis report (with LaTeX available from the Web site), and answers to the questions and problems (making the book nice for self-study).
The Linux operating system is used throughout the book, but most of the topics are essentially cross-platform. Certificates work about the same on any system. Using Linux as a base does mean that specific open-source tools can be used, and it facilitates the setup of specific exercises based on the virtual machine images on the Web site.
The Web site mentions an added chapter on computer forensics, with a virtual machine image to go along with it, but the links are not as of yet active. The chapter on risk management is good, but touches on issues that could have used a bit more elucidation (such as secure and verified backup, and floods). That being said, a detailed chapter on risk management would be several times longer than the whole of this book.
It would be nice if the authors listed the online references on the Web site and kept the Web site updated with links to recent related information and news items (such as password leaks). This would not only make reading such links easier, but it would also give readers a better feel for all the awfulness that might occur if good security practices are not followed.
The book is short, but has numerous references to online publications worth reading. It is very readable and well organized, and the questions and exercises are generally very good. It is an excellent introduction to the subject and would make a good upper-level undergraduate text. It would also be quite useful as a self-study text for someone new to the field.