REVIEW: "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Dec 23, 2009.

  1. BKNESEAS.RVW 20091004

    "Network Security Assessment", Steve Manzuik/Andre Gold/Chris Gatford,
    2007, 978-1-59749-101-3, U$59.95/C$77.95
    %A Steve Manzuik
    %A Andre Gold
    %A Chris Gatford
    %C 800 Hingham Street, Rockland, MA 02370
    %D 2007
    %G 978-1-59749-101-3 1-59749-101-2
    %I Syngress Media, Inc.
    %O U$59.95/C$77.95 781-681-5151
    %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
    %P 372 p.
    %T "Network Security Assessment: From Vulnerability to Patch"

    Chapter one is a general discussion of vulnerabilities and risk. The
    material makes the process (and threat environment) seem more
    formalized and simpler than it really. Initially the review of
    vulnerabilities seems limited to coding issues, but later parts of the
    book concentrate almost exclusively on network issues. A broad
    overview of the usual "discovery/enumeration/analysis" style of
    penetration testing is given in chapter two. Assessment tools are
    noted in chapter three, although the content is mostly a duplication
    from two. While most of the suggestions are reasonable (yes, you do
    want a low rate of false positive alarms), some are unrealistic (a
    zero rate of false negative results is almost inherently impossible to

    Chapter four addresses the discovery stage, though not in much depth.
    Similarly, chapter five's examples of enumeration are limited to
    various scans. Chapter six repeats the penetration testing review
    from chapter two, but with different examples.

    Vulnerability management, as delineated in chapter seven, is simply a
    project cycle with some audit functions included. Chapter eight is a
    terse listing of vulnerability management tools. The content of
    chapter seven is repeated in chapter nine, in a more confused form,
    and now under the title "Vulnerability and Configuration Management."
    "Regulatory Compliance," in chapter ten, is restricted to a brief
    discussion of the Payment Card Industry Data Security Standard, and
    the US Sarbanes-Oxley law. Chapter eleven re-reviews the chapters in
    the book.

    An appendix covers legal factors for a variety of information security

    The material in this work provides a decent introduction to
    vulnerability assessment and penetration testing, but with a great
    deal of padding and duplication. Condensed into a magazine article,
    instead of running to almost four hundred pages, it could have been
    very useful. There is also a chance that the reader will be misled by
    the doctrinaire stance in many cases, such as the presentation of
    penetration testing as distinct from vulnerability assessment, when
    the reality is a continuum, with most people taking a hybrid approach.
    Overall the book is a good start, but those wishing to actually begin
    working with assessments will need additional help.

    copyright Robert M. Slade, 2009 BKNESEAS.RVW 20091004


    "Dictionary of Information Security," Syngress 1597491152
    ============= for back issues:
    [Base URL] site
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Dec 23, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.