Security threats Toolkit

Defeating the Hacker review

7.5

Editors' Rating

Wendy M Grossman ZDNet.co.uk

Published: 30 Mar 2006

Way back in the early 1980s, Robert Schifreen shot to notoriety as one of the hackers who broke into Prince Philip's mailbox on the Prestel service. It was this case that, after the Law Lords ruled that the forgery laws did not cover typing a user name and password into a computer screen, instigated the drafting and passage of the Computer Misuse Act in 1984. Schifreen has spent the intervening years being a respectable computer journalist, and his specialty -- as you might expect -- is security. Defeating the Hacker: A Non-Technical Guide to IT Security is the result of years of writing, research and speaking at conferences on security topics.

Despite the title, much of the book is more or less generic security advice. The same precautions that prevent a hacker from stealing your data also protect against network abuse by employees or accidental loss of data when a notebook computer gets left in a taxi. It's just that protecting your company from hackers sounds more compelling than, say, protecting your company from disgruntled former employees -- who, as Schifreen points out early in the book, are far more likely to be a risk.

Nonetheless, anyone who's ever glanced at their firewall logs is going to urge caution. If hackers don't get you, then viruses, phishing attacks, spyware or criminals might.

It's hard to imagine that there's any category of computer user -- domestic, small business, corporate -- who won't find something of value in this book. Much of it is, of course, standard: don't make the Administrator account on a Windows machine the one you use all the time for everything; don't let employees download pornography or engage in file-sharing; make backups and store them off-site; have a disaster recovery plan. Schifreen includes advice on everything from configuring email to penetration testing and picking out a training programme.

On the other hand, Defeating the Hacker is narrower than it might be. Most advice is generic, but the advice that isn't is almost wholly geared towards Windows machines. Nowhere does Schifreen talk about any special problems that might arise from integrating Linux systems or Apple Macs. For example, he gives fairly detailed instructions on how to secure a newly installed Windows machine, but says nothing about how to do the same for any other platform. In some cases, Schifreen's advice is one-sided. For example, he talks about the security value of using Digital Rights Management and encryption software, but not about the risk that corrupted software or a lost password could leave you with a pile of unreadable gibberish.

This book is 'non-technical', and so lacks coverage of more arcane topics such as using VPNs to secure wireless connections from notebooks and other devices into the company network, additional risks with Bluetooth such as Bluesnarfing, and how to keep track of complex firewall rules. There's also very little about the new risks posed by handhelds and smartphones or, beyond the warning not to allow staff to post their work email addresses, instant messaging, or even VoIP.

In general, however, Defeating the Hacker is a useful and well-written book, particularly for home and small business users. Enterprises may prefer something broader and more strategic, though. A sample chapter is available online here.