Although the harrowing number of Internet-based attacks in recent years has elevated the importance of maintaining secure electronic networks, many developers continue to employ passive security administration strategies, addressing issues by using patches in a non-systematic fashion. This counterproductive strategy can be largely attributed to a lack of knowledge regarding the general concepts required to effectively prevent the attack and potential compromise of networked systems.
Developing Trust: Online Privacy and Security is an indispensable resource for system administrators and application developers, providing a means to understand, create, and maintain secure Internet systems. Matt Curtin's instructional approach facilitates a comprehensive understanding of online security by separating the core material into three sections:
- Understanding Security and Privacy introduces attack models, general privacy theory and policy, online privacy concepts, and provides a synopsis of the mechanics of threats to privacy.
- Prevention delves into secure design principles and deployment environments, closing with several case studies of major security problems uncovered by the author himself.
- The Cure investigates the mechanics of identifying and repairing flawed security design techniques before they are incorporated into the final product. Discussion regarding the failure of "opt-out" systems to protect privacy is also included in this section.
Suitable for the IP manager or developer seeking to improve Web privacy and security, Developing Trust: Online Privacy and Security provides an intriguing, though at times somewhat theoretical, guide to the issues surrounding privacy today.
Interestingly, this book straddles an expert-eye, theoretical overview of what privacy is and a more practical view of how it is often undermined on the Internet today. Early sections cover basic terms and concepts of privacy at a fairly high level. Mixing in sometimes erudite commentary (and an occasional rant), the author's expert-level view does a good job of explaining what privacy is and the larger principles used to protect it. From anonymity to "verinymity" (where sites know who you are), Curtin makes a good case that anonymity is often eventually undermined on today's Web sites. A good section early in the book outlines how a potential attacker might attack a hypothetical Web site for security holes. (We never see the attack carried out, perhaps because it would be irresponsible to do so, but this material establishes Curtin's expertise for the reader.)
Though the early sections largely avoid specific standards and real Internet software, the book soon delves into the nuts and bolts of the Web, for example HTTP, HTML, URLs, and cookies, with an eye to privacy. For most readers, the most fascinating sections of this text will be the author's five case studies on real privacy problems with some of today's leading Web sites and vendors (including Netscape and DoubleClick). He shows how certain features--like cookies--can undermine privacy (or even the ability to "opt out" successfully). A follow-up chapter cements the argument that if Web sites collect "anonymous" browsing behavior, it is all too easy to connect users' real identities to their supposedly anonymous profiles later on, putting privacy in jeopardy. Finally, the author makes a good argument that protecting privacy is good business sense.
The book concludes with more practical advice on implementing good security practices, including an excellent discussion of firewalls, DMZs, including their limitations, and a checklist for beefing up security in your organization. The text closes with a final case study of a hypothetical Web site (which serves up content from third parties) that arguably "does it right" regarding privacy, based on the author's earlier discussion.
While the mix of theoretical and practical here will not suit everyone, there's little doubt that the author's in-depth understanding of the issues surrounding privacy today can help your organization do better with privacy and security. While this title will not help you configure Internet Information Server, for instance, it will help you plan high-level strategies for improved security, as well as show you why protecting user and organizational privacy makes good business sense. --Richard Dragan
Comments